Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Security White Paper
Version No. 8
Apr 8, 2020
Ethnio, Inc.
6121 W Sunset Blvd Los Angeles, CA 90028 (888) 879-7439 Ethn.io
Ethnio tm
Ethnio Security White Paper
Table of Contents
1. Summary 4 1.1 What is Ethnio? 4 .................................................................................................
1.2 Technical Stack 5 ................................................................................................
1.3 SSO / 2FA 5 .........................................................................................................
2. Compliance / Certifications / Audits 6 2.1 SOC2 Type 2 6 .....................................................................................................
2.3 External Penetration Testing by Cobalt 6 ...........................................................
2.3 GDPR Compliance 6 ...........................................................................................
2.4 Privacy Shield 6 ..................................................................................................
3. Infrastructure 7 3.1 Data Flow 7 ..........................................................................................................
3.2 Physical Security 8 .............................................................................................
3.3 Servers 9 .............................................................................................................
3.4 Redundancy 9 .....................................................................................................
3.5 Networks 9 .........................................................................................................
3.6 Firewalls & DMZ 10 .............................................................................................
3.7 System & Audit Logs 11 .......................................................................................
4. Vulnerability Management 12 4.1 Automated Security Scans 12 ..............................................................................
4.2 Penetration Tests 12 ............................................................................................
4.3 Remediation 13 ...................................................................................................
4.3 Code review prior to deployment 13 ..................................................................
4.4 Data Transmission 13 ..........................................................................................
4.5 Remediation, Notification, & Reporting 13 .........................................................
4.6 Intrusion Detection System (IDS) 14 ...................................................................
4.7 Vendor Risk Assessment 14 ................................................................................
4.8 Data Loss Prevention (DLP) 15 ............................................................................
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 2 25
Ethnio Security White Paper
5. Data & Security Policies 16 5.1 Data Handling & Disposal 16 ................................................................................
5.2 Development Environment 16 .............................................................................
5.3 Security Hardening 17 .........................................................................................
5.4 Version Control 17 ...............................................................................................
5.5 Remote Access & Key Management 17 ...............................................................
5.6 Employee & Device Access 17 .............................................................................
5.7 Change Control & SDLC 18 .................................................................................
5.8 SDLC Security 19 ................................................................................................
5.9 Data Security & Integrity 19 ................................................................................
6. User Account Administration 20 6.1 Account Types 20 ................................................................................................
6.2 Password Management & Policies 20 .................................................................
6.3 Shared & Stale Accounts 21 ................................................................................
6.4 API & System Standards 21 .................................................................................
6.5 Account Cancellations & Permanent Deletion 21 ...............................................
6.6 Access Requests 21 ............................................................................................
6.7 Identity and Access Management Process (SSO) 21 .........................................
7. Disaster Planning 22 7.1 Disaster Recovery Plan 22 ....................................................................................
7.2 Physical Facility 22 ..............................................................................................
7.3 Recovery Time Objective (RTO) 22 .....................................................................
7.4 Business Continuity Planning (BCP) 22 ...............................................................
7.5 Backup policy 23 .................................................................................................
8. HR Policies 24 8.1 Provisioning Access 24 ........................................................................................
8.2 Training & Development 24 ................................................................................
8.3 Contractors 24 ....................................................................................................
8.4 Onboarding & Offboarding 25 ............................................................................
8.5 Agreements 25...................................................................................................
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 3 25
Ethnio Security White Paper
1. Summary Since its creation in 2011, Ethnio security procedures and policies have evolved according to
industry best practices. This document is intended to give you an overview of Ethnio security
processes, and addresses the security measures we’ve taken to protect each of those
processes (such as secure data collection and disaster recovery). As with many SaaS providers,
particularly in the UX research space, Customers own and control their data. Ethnio treats all
customer data as highly confidential, and has never had a single security breach or unplanned
outage in over seven years of operation. We are constantly evolving along with industry best
practices, and particularly aware of the increased scrutiny our customers face in keeping data safe through vendors they trust. Ethnio intends to continue earning the trust of our
customers by providing clear and up-to-date security information.
1.1 What is Ethnio? Ethnio is a research participant management tool for screening, emailing, scheduling, and
paying participants for research. There are five main modules in Ethnio and each can be used
independently or all together: Pool, Screeners, Intercepts, Scheduling, and Incentives.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 4 25
Upload / email participants from an existing CSV
Pool
Can include tagging, segments, engagement, etc
Pay people for research
Any country, currency, or language
Incentives
Create a screener link to share
For in-person, remote, or general opt-in
Screeners
Schedule 1:1 or group research
For in-person, remote, or general opt-in
Scheduling
Make a site or native app intercept
iOS, Android, or Web desktop and mobile
Intercepts
Ethnio Security White Paper
1.2 Technical Stack Ethnio currently uses Rails 4.2.11.1 on Ruby 2.51 on Nginx 1.10.3 and Puma with PostgreSQL
9.5.9 and Redis. We’ve used AngularJS for some navigation, editing questions, scheduling and
recruits pages. We use Rails caching based on Redis to show screeners and on marketing
pages. Elastic search is our search engine in pool. Finally, we’re using Sidekiq for background
processing. For monitoring we use New Relic, Monit, and Pingdom, and our uptime
percentage has been 99.96% or higher for over three years: stats.ethn.io
1.3 SSO / 2FA We currently offer both SSO and 2FA as security add-ons for
Enterprise customers. Ethnio highly recommends setting up
these tools to improve application security, however we don’t
force customers to activate both. Based on certain security
flags, the system will force 2FA automatically for risk profiles.
Ethnio currently uses Authy via Twilio for 2FA.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 5 25
Ethnio Security White Paper
2. Compliance / Certifications / Audits Ethnio is committed to keeping the data you share secure and private. As a result, there are a
number of tests and audits Ethnio undertakes to maintain full compliance with current best-
practice security standards.
2.1 SOC2 Type 2 Ethnio stores all customer data in a TierPoint-managed SOC2 Type 2
accredited data center in Dallas, TX. Additionally, Ethnio is under engagement
with A-LIGN for complete organizational SOC2 Type 1 & Type 2 certification
with a target complete dates for both in 2020.
2.3 External Penetration Testing by Cobalt Ethnio completes annual external pen tests to locate and fix vulnerabilities in the
system. This helps us identify common weaknesses across the application and
strengthen our entire security posture.
2.3 GDPR Compliance Ethnio is in full compliance with GDPR. Read more here:
ethn.io/gdpr
2.4 Privacy Shield We like the EU and their privacy principles and Ethnio is EU-US and Swiss-US
certified using the Privacy Shield Framework, certified through October,
2020 and has been in continuous compliance since October, 2017.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 6 25
Ethnio Security White Paper
3. Infrastructure
3.1 Data Flow Customers can only access Ethnio through SSL and optionally SSO to use a logged-in Ethnio
client in the browser. The diagram below represents current data flow from that logged-in
client, as well as an ongoing migration to a VPC (Virtual Private Cloud) across two availability
zones in AWS.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 7 25
Ethnio Security White Paper
3.2 Physical Security
Ethnio uses a TierPoint-managed data center in Dallas, TX, running
a Cisco networking environment. The facility is staffed 24×7 by
technicians who perform all our remote work (e.g. changing drives,
memory or swapping servers). It’s a SAS 70 Type II audited facility in a single-story, single-
tenant building for enhanced control and security.
• Multiple layers of security & authentication; including card key, PIN, & biometric required
for facility entrance
• Intrusion detection systems to prevent unauthorized electronic access
• Firewall management and monitoring services
• Full CCTV surveillance backed by digital recording on file for 90 days
• Remote hands to perform tape rotations and hardware swaps
• Constant management of all environmental systems (power, HVAC, fire, security and IDS)
• Remote monitoring of client equipment
• Locking cabinets and/or cages, Colo4 retains all keys
• Motion detection for lighting
• 30 inch raised floors
• 300 lbs/sq ft floor load
• Redundant HVAC with Liebert air handlers
• Each CRAC unit supported by independent roof mounted condenser
• Wind roof rating FM-90
• 11.1 MW of utility power
• 250 watts/sq ft
• Four (4) autonomous N+1 power plants delivering true A & B power supply
• Four (4) backup diesel generators on standby
• Generators tested bi-weekly and routinely run at full load
• Cabinet laid out for optimum airflow - hot and cold aisles separate exhaust and intake
• Solid cabling routed neatly overhead
• Ambient temperature of 70 degrees
• Pre-action dry pipe fire suppression
• Integrated smoke/heat detector system
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 8 25
Ethnio Security White Paper
3.3 Servers Ethnio has dedicated servers in an isolated cluster at a TierPoint-managed data center in
Dallas, TX with redundant warm mirror on-site, and offsite encrypted backups at another
TierPoint data center in New Zealand. As part of ongoing enhancements to redundancy and
security, Ethnio is migrating to a VPC in AWS with multiple availability zones in 2020.
3.4 Redundancy All Ethnio production infrastructure is built with redundancies in place, both within our
primary data center and off-site at the secondary data center. As mentioned above, Ethnio is
migrating to a VPC (Virtual Private Cloud) across two availability zones in AWS. For exact
timeline and details, contact us at [email protected].
3.5 Networks Ethnio uses three logically and physically separate networks: corporate, development, and
production networks. The corporate network supports internal business functions and the
authentication mechanism is completely separate from the development and production
environments. The development network is designed to support rapid deployment and
product design, as well as QA. No wireless networks are attached to this network.
The production network is located in our TierPoint–managed data center and is designed and
built to be fully redundant. Network infrastructure is also designed to be fully redundant and
fault tolerant. Servers are configured with redundant network interface cards and power
supplies.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 9 25
Ethnio Security White Paper
3.6 Firewalls & DMZ Ethnio uses multiples redundant tiers of protection for hosted customers data. Firewall
systems are in place to filter unauthorized inbound network traffic and deny any type of
network connection that is not explicitly authorized. Network address translation (NAT)
functionality is utilized to manage internal IP addresses. Administrative access to the firewall is
restricted to authorized employees. Redundancy is built into the system infrastructure
supporting the data center services to help ensure that there is no single point of failure that
includes firewalls, routers, and servers. In the event that a primary system fails, the redundant
hardware is configured to take its place.
On all TierPoint Ethnio servers, access control technologies, such as demilitarized zones
(DMZ), encryption techniques, internal firewalls, VPNs, and Virtual Local Area Networks
(VLAN), along with unique user account verifications, access lists, and passwords restrict
unauthorized access to customer hosts and data.
Ethnio employs a web application firewall for protection against DDoS and web application
attacks. Isolated at the network level, Ethnio uses several approaches to detect external
attacks. Common examples of the types of attacks Ethnio firewalls can catch are application-
layer DDoS, SQL injection and XSS. Traffic will be automatically dropped or rerouted. Web
applications firewalls are also configured to restrict any suspicious network traffic. Firewalls
with IDS/IPS capabilities are also enabled (see 4.6 IPS).
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 10 25
Ethnio Security White Paper
3.7 System & Audit Logs Ethnio logs critical system and performance events on our servers, including all access to
sensitive systems, authentication, and data access through all device types including mobile and desktop. Logs are rotated and destroyed on a regular schedule, which is secured with
limited access and regularly reviewed. Sensitive logs are encrypted. Audit logs are generated
for all operating systems and browsers, and encrypted as part of Ethnio’s Github integration.
Log files typically contain timestamp, id, IP address, and other info. Real-time dashboards
provide insight into the log files using advanced analysis techniques. No personal data is
captured in log files, and they are internal only and unavailable to Customers. Sample log:
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 11 25
Ethnio Security White Paper
4. Vulnerability Management Ethnio follows all industry best-practices for vulnerability management, including regular
maintenance and the use of popular tools for identifying vulnerabilities. This includes anti-
malware apps, penetration tests, automated vulnerability scans, and white-hat powered bug
bounty programs.
4.1 Automated Security Scans We currently run several automated security scanning tools, and run
reports at least once per quarter, but often more frequently than that,
especially if we’re deploying major features.
Nmap Network Vulnerability Scan
Snort Intrusion Detection
Hacker One Bug Bounty Program
Qualys Vulnerability Scan
4.2 Penetration Tests Ethnio conducts ongoing penetration testing on the production environment as well as manual
external penetration testing using the Cobalt platform. Penetration testing is conducted to
measure the security posture of a target system or environment. Cobalt uses an accepted
industry standard penetration testing methodology. Cobalt’s approach begins
with a vulnerability analysis of the target system to determine what
vulnerabilities exist on the system that can be exploited via a penetration test,
simulating a disgruntled/disaffected insider or an attacker that has obtained
internal access to the network. Vulnerability scanning is performed throughout
the year by Cobalt or a similarly accepted provider.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 12 25
Ethnio Security White Paper
4.3 Remediation Remediation plans are included immediately after yearly pen tests and can be found here:
ethn.io/docs/remediation.pdf
4.3 Code review prior to deployment Every pull request in Ethnio is managed and approved by multiple developers, in line with
industry best developer practices. This ensures Ethnio can monitor third party libraries and
code as part of ongoing vulnerability management. We use Github, and perform both manual
and automated code review to identify security defects prior to production release. This helps
Ethnio identify and address any issues prior to deployment. See Section 5.7 for more information on SLDC.
4.4 Data Transmission All data is encrypted in transit via SSL with an A rating on SSL / TLS settings from SSL labs:
ssllabs.com/ssltest/analyze. Ethnio maintains an updated certificate and can require secure
access at customer’s request.
4.5 Remediation, Notification, & Reporting As part of ongoing vulnerability remediation, Ethnio is required to provide updates to
Customers about any security or privacy issues that may affect Customers in updates.ethn.io.
Customers may subscribe to any category, such as Security, to receive ongoing email updates.
We create remediation plans as necessary to address high risk vulnerabilities within 15 days
and moderate risk vulnerabilities within 30 days.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 13 25
Ethnio Security White Paper
4.6 Intrusion Detection System (IDS) Ethnio employs several systems on the network where customer data is stored. We use a
packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to
detect a dangerous payload or suspicious anomalies. Through protocol analysis and content
searching and matching, we detect attack methods, including denial of service, buffer
overflow, CGI attacks, stealth port scans, and SMB probes. When suspicious behavior is
detected, the Ethnio security team receives a real-time alert. In addition to custom tools,
Ethnio uses the Snort, OSSEC, and NIDS (network intrusion detection system).
In addition to IDS, Ethnio uses an isolated Intrusion Protection System (IPS) for proactive
network traffic blocking if malicious traffic is detected. The Ethnio IPS is a second layer of
security, which will block access as soon as any suspicious login activity is detected.
4.7 Vendor Risk Assessment Risk assessment is fundamental to the initial decision of whether or not to enter into a vendor relationship. The evaluation of a third party may include the following:
• Technical and Industry Expertise • Operations and Controls: complete and timely access to the information • Compliance: Ethnio reviews TierPoint’s SOC2 assessment annually • Financial condition: enough to support the required level of service • Contract issues: addressing the vendor’s responsibility for security and confidentiality
Ethnio will assess the vendor’s experience and ability to provide the necessary services for current and anticipated needs and operating environments. The vendors duration in business and reputation will also be considered and evaluated to check performance history.
Where possible, Ethnio will take into account the adequacy of a vendor’s standards, policies and procedures relating to internal controls, facilities management (access requirements, sharing of facilities, etc.), security (systems, data, equipment, etc.), privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance and employee background checks.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 14 25
Ethnio Security White Paper
Ethnio will not enter into an agreement with a vendor if there are significant litigation, or regulatory actions against the vendor that might impact the relationship and performance of the service. When entering into a contract it is management’s responsibility to ensure that the performance standards are addressed within the vendor contract, and will review/sign off on the vendor risk assessment.
For key vendors, risks will be identified, documented, and prioritized relating to the vulnerabilities and threat they pose.
4.7.1 REMEDIATION & TRACKING
Where practical, vendor contracts should contain a provision for the resolution of disputes in a timely manner. The contract should also provide for the continuation of services during the dispute resolution period. Ethnio also maintains a record of any security issues that arise from vendors.
4.8 Data Loss Prevention (DLP) In addition to the four main active efforts to protect against
data loss; Backups, Encryption, Monitoring, and Disaster
Recovery planning, Ethnio also runs Nightfall AI integrated
with Github via API.
ThreatInherent
RiskImpact Likelihood Mitigating Controls
Residual Risk
Conclusion / Possible Additional Counter
Measure
Management interface APIs
Medium Low MediumDirectly monitoring
web applicationsMedium Reviewing API portals
Financial condition High Medium MediumConsider the required
level of serviceCheck existing litigation
or regulatory actions.
Operations and Controls
Medium Medium MediumComplete access to
informationMedium
Consider adequacy of a vendor’s facility
Physical Security High High LowTierPoint SOC2
managed data centerHigh
Access only by role requirements
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 15 25
Ethnio Security White Paper
5. Data & Security Policies Ethnio only acts as a Data Processor (a company that processes Personally Identifiable
Information on behalf of a Data Controller) so that each Ethnio Customer acts as a Data
Controller (a company that determines the purposes for which, and the means by which, the
Personally Identifiable Information is processed).
To process information means to carry out an operation or set of operations on the
information, such as collecting, recording, storing, disclosing, or organizing it. Information that
Screener Respondents provide to Ethnio Customers passes through our service and resides on
our servers, in the most secure manner adhering to industry guidelines. That information may
be stored and processed in the United States or any other country in which Ethnio or its
affiliates, subsidiaries or agents maintain facilities.
The full list of privacy terms can be found here: ethn.io/privacy.
5.1 Data Handling & Disposal Customers have full control over data expiration, retention, and deletion. Ethnio offers detailed
automatic data expiration options per GDPR compliance. This is covered in detail here:
ethn.io/data_retention_and_expiration. The types of data deletion Ethnio offers are as
follows:
• Delete an individual source from Pool (e.g. Upload)
• Delete a single response
• Delete multiple responses
• Delete an entire screener (all related data)
5.2 Development Environment We use a secure Github repository, and all code is deployed and tested in a staging
(development) environment that is functionally equivalent to the production environments. No
Customer Data is used in the staging environment.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 16 25
Ethnio Security White Paper
5.3 Security Hardening With only the SSL-encrypted Github repositories, Clubhouse task management, and
Rimuhosting secured data facility in Dallas, the Ethnio system has the most limited points of
vulnerability. We can offer a Tripwire audit at additional cost.
5.4 Version Control Version control software is utilized to maintain source code versions and migrate source code
through the development process to the production environment. The version control software
maintains a history of code changes to support rollback capabilities and tracks changes to
developers. Ethnio uses Git to manage changes in the codebase, which is also industry
standard.
5.5 Remote Access & Key Management The only remote access to Ethnio servers is through the SSH. Each developer has a unique
cryptographic key and access is closely monitored. We also require two factor authentication
and the entire workflow from key generation to revocation is controlled as part of Ethnio’s
Employee and Device Access policies. Ethnio rotates keys at least once per year.
By default, customers have zero access to cryptographic keys. Upon request, customer may
request single tenancy as part of AWS infrastructure, and their own keys, but this is a custom
Enterprise add-on.
5.6 Employee & Device Access No Ethnio employees can gain access to servers using their mobile device. If an employee is
terminated, accounts are immediately removed from all data sources - Rimuhosting,
Clubhouse, Github, etc. Device wipes are performed manually.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 17 25
Ethnio Security White Paper
5.7 Change Control & SDLC
Ethnio maintains documented Systems Development Life Cycle (SDLC) policies and
procedures to guide employees in documenting and implementing application and
infrastructure changes. Change control procedures include change request and initiation
processes, documentation requirements, development practices, quality assurance testing
requirements, and required approval procedures. All the software that Ethnio employees use
during the normal course of business is from large SaaS providers like Google, Github, and
Gusto. Ethnio reviews application acquisition along with all key policies annually, but Ethnio
relies on SaaS providers for tight control access and remote onboarding/offboarding for all
employees. Additionally, Ethnio requires compliance and certification from our key SaaS
providers like SOC2 Type 2 reports or PCI compliance.
Quality assurance testing and User Acceptance Testing (UAT) results are documented and
maintained with the associated change request. Management approves changes prior to
migration to the production environment and documents those approvals within the ticketing
system.
Ethnio has also implemented a patch management process to ensure contracted customer and
infrastructure systems are patched in accordance with vendor recommended operating
system patches. Ethnio reviews proposed operating system patches to determine whether the
patches are applied. Ethnio is responsible for determining the risk of applying or not applying
patches based upon the security and availability impact of those systems and any critical
applications hosted on them. Ethnio staff validate that all patches have been installed and if
applicable that reboots have been completed.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 18 25
Ethnio Security White Paper
5.8 SDLC Security As part of each phase in Ethnio’s secure development lifecycle, there are manual industry-
standard tools and automated checks for security defects or data corruption. This includes
Ethnio policies that require all vendors to adhere to industry standards for SDLC security, as
well as the following:
• Automated – Codacy for automated source code analysis
• Manual – Github settings for all Ethnio repositories require code review, including manual
source code analysis, prior to any production pull request being approved
5.9 Data Security & Integrity Data integrity refers to the reliability and accuracy of data over its lifecycle. Compromised
data is of little use to Ethnio or customers, not to mention the dangers of sensitive data loss.
For this reason, maintaining data integrity is a core focus of Ethnio, including both of the
following policies:
• Manual – To prevent application or database errors, corruption, or misuse, Ethnio uses go data integrity (godi) or similar tools
• Automated – Ethnio uses pgcheck within PostgreSQL, which is the primary database.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 19 25
Ethnio Security White Paper
6. User Account Administration Please find below all the ways that Ethnio and Customer can control authentication & access
to Customer Data using Ethnio
6.1 Account Types Within Ethnio application accounts, there are three roles where Customers have powerful fine-
grain permission control over each role. Those permission controls include business function
and limiting access to Ethnio Data by access role. The three roles are:
1. Owner 2. Team member 3. Admin
On a system level, there are three types of accounts in the Ethnio infrastructure - application
accounts available to the public, paid accounts, and administration accounts. Administration
accounts are only issued to Ethnio employees and require encrypted passwords. The other two
account types allow user-selected passwords and are stored with a hash in the MySQL DB.
The identity of users must be authenticated before providing them with account and password
details.
6.2 Password Management & Policies Ethnio follows strict password rules across both system and end user accounts. We do not
send passwords via email and offer unique password reset links - standard industry best
practice. Our password requirements are currently 8 character minimum, at least one
uppercase, one symbol (!,$,#,@,etc), and one number.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 20 25
Ethnio Security White Paper
6.3 Shared & Stale Accounts Use of shared accounts is not allowed, and we use IP-tracking to prevent this practice, as well
as 2FA. There are also scheduled system routines in place to check for inactive accounts after
a defined grace period, which varies by account type. For example, self-service accounts are
allowed to remain stale for longer than Enterprise accounts.
6.4 API & System Standards Access to Ethnio via secure token in the API may grant access to certain customer-defined
data associated with a given screener, but that is entirely up to each customer and their user of
the API. For example, if customer wishes to send responses from a screener to
UserTesting.com, Ethnio may pass that data securely. More information on this can be found
here: [email protected].
6.5 Account Cancellations & Permanent Deletion For any permanently cancelled Customer account, Ethnio will automatically and permanently
wipe all customer data from all servers within 24 hours of account deletion, including backup
servers and sub-processors. The Customer will receive an email notification immediately upon
deleting their account.
6.6 Access Requests The approval process for handling system or application access requests goes through the
senior developer team manually.
6.7 Identity and Access Management Process (SSO) If customer enables access to Ethnio using SSO, Ethnio offers account provisioning and
deprovisioning through an automated system. Ethnio account owners or admins can easily
manage access privileges for a variety of users in the account.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 21 25
Ethnio Security White Paper
7. Disaster Planning
7.1 Disaster Recovery Plan We maintain a separate policy for our disaster recovery plan, which also covers Business
Impact Analysis (BIA) and Business Continuity Planning (BCP). You can find that below:
Full Ethnio Disaster Recovery Plan: ethn.io/dr
7.2 Physical Facility Remote backups are performed regularly and stored in a different physical location from the
main servers. TierPoint and Rimuhosting provide UPS, generators, and real-time monitoring.
Backups off-site are stored in our secondary data center in New Zealand that use the same
industry standard AES256 encryption as the primary hosts.
7.3 Recovery Time Objective (RTO) Ethnio has taken action to minimize the risk of data loss. Ethnio’s Recovery Time Objective of
24 hours to resume normal operations in the event of a disaster, with the goal of a full data
restoration in the same time due to our robust data center security.
7.4 Business Continuity Planning (BCP) Ethnio has been designed to be recoverable and robust with physically separated servers. As
an additional safeguard to the main center, Ethnio uses a warm mirror up-to-the-second data
center to support a speedy recovery of critical data.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 22 25
Ethnio Security White Paper
7.5 Backup policy There are three primary methods of backups that Ethnio employs:
1) Warm database backups updated every second on a dedicated mirror
2) On-site daily backups
3) Remote backups performed every few hours and stored in a different physical location
from the main servers. TierPoint and Rimuhosting provide UPS, generators, and real-time
monitoring. Backups off-site are stored in our secondary data center in New Zealand that
use the same industry standard AES256 encryption as the primary hosts.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 23 25
Ethnio Security White Paper
8. HR Policies Ethnio holds all new hires to rigorous standards of talent, references, and verified track
records. Ethnio follows strict privacy guidelines, and may use Hire Right to perform
background checks. Upon hire, employees are required to
sign multiple agreements which addresses the risks of
dealing with sensitive data.
8.1 Provisioning Access Access to administrative tools and customer accounts are closely controlled by Ethnio to
ensure appropriate authorization. Employees are only given access to production
environments or customer data for proven essential job duties, and all access is reviewed
through administrative controls. Additionally, employees must complete training and pass a
series of internal checks. When access is removed, logs are kept in the appropriate tool or
system.
8.2 Training & Development Ethnio employees undergo training on company policies, privacy, and security practices. This
training includes network security, device security, all aspects of customer and organizational
privacy, and password and 2FA management. All employees are instructed to report potential
security incidents to [email protected]. Training also covers mobile devices of all kinds, and
what can be used to access Ethnio system data, including BYOD (bring your own device)
requirements and regulations, systems allowed for use or access, and understanding around
Ethnio oversight and litigation.
8.3 Contractors All contractors submit references and full contractor agreements with verification of
employment status. New contractors with engineering tasks are given specific limitation to
production environment.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 24 25
Ethnio Security White Paper
8.4 Onboarding & Offboarding In addition to training, role-based onboarding includes seat provisioning
for any critical internal Ethnio tools if applicable, and can be revoked
during offboarding or when an employee no longer requires access.
Additionally, Ethnio uses Gusto for managing HR compliance, documents,
and policies. This offers direct access to certified HR experts, via the HR Support Center, and
includes encryption for all employee data. Additionally, Ethnio relies on the Google Suite to log
and provision employee access for both onboarding and offboarding.
8.5 Agreements Every employee and contractor signs comprehensive agreements with Ethnio covering
confidentiality, customer data access, intellectual property, essential duties, exempt status,
appropriate employment law, and standard clauses for all employment types. One employee
stubbornly refuses to sign any agreements, and Ethnio has been working for years to convince
Sela, pictured below, to sign. If you see this princess, ask her to sign.
Ethnio, Inc. © 2020 CONFIDENTIAL Page of 25 25