Security White Paper - ethnio · Ethnio Security White Paper 1. Summary Since its creation in 2011, Ethnio security procedures and policies have evolved according to industry best

Security White Paper

Version No. 8

Apr 8, 2020

Ethnio, Inc.

6121 W Sunset Blvd Los Angeles, CA 90028 (888) 879-7439 Ethn.io

Ethnio tm

http://ethn.io

http://ethn.io

Ethnio Security White Paper

Table of Contents

1. Summary 4 1.1 What is Ethnio? 4 .................................................................................................

1.2 Technical Stack 5 ................................................................................................

1.3 SSO / 2FA 5 .........................................................................................................

2. Compliance / Certifications / Audits 6 2.1 SOC2 Type 2 6 .....................................................................................................

2.3 External Penetration Testing by Cobalt 6 ...........................................................

2.3 GDPR Compliance 6 ...........................................................................................

2.4 Privacy Shield 6 ..................................................................................................

3. Infrastructure 7 3.1 Data Flow 7 ..........................................................................................................

3.2 Physical Security 8 .............................................................................................

3.3 Servers 9 .............................................................................................................

3.4 Redundancy 9 .....................................................................................................

3.5 Networks 9 .........................................................................................................

3.6 Firewalls & DMZ 10 .............................................................................................

3.7 System & Audit Logs 11 .......................................................................................

4. Vulnerability Management 12 4.1 Automated Security Scans 12 ..............................................................................

4.2 Penetration Tests 12 ............................................................................................

4.3 Remediation 13 ...................................................................................................

4.3 Code review prior to deployment 13 ..................................................................

4.4 Data Transmission 13 ..........................................................................................

4.5 Remediation, Notification, & Reporting 13 .........................................................

4.6 Intrusion Detection System (IDS) 14 ...................................................................

4.7 Vendor Risk Assessment 14 ................................................................................

4.8 Data Loss Prevention (DLP) 15 ............................................................................

Ethnio, Inc. © 2020 CONFIDENTIAL Page of 2 25


5. Data & Security Policies 16 5.1 Data Handling & Disposal 16 ................................................................................

5.2 Development Environment 16 .............................................................................

5.3 Security Hardening 17 .........................................................................................

5.4 Version Control 17 ...............................................................................................

5.5 Remote Access & Key Management 17 ...............................................................

5.6 Employee & Device Access 17 .............................................................................

5.7 Change Control & SDLC 18 .................................................................................

5.8 SDLC Security 19 ................................................................................................

5.9 Data Security & Integrity 19 ................................................................................

6. User Account Administration 20 6.1 Account Types 20 ................................................................................................

6.2 Password Management & Policies 20 .................................................................

6.3 Shared & Stale Accounts 21 ................................................................................

6.4 API & System Standards 21 .................................................................................

6.5 Account Cancellations & Permanent Deletion 21 ...............................................

6.6 Access Requests 21 ............................................................................................

6.7 Identity and Access Management Process (SSO) 21 .........................................

7. Disaster Planning 22 7.1 Disaster Recovery Plan 22 ....................................................................................

7.2 Physical Facility 22 ..............................................................................................

7.3 Recovery Time Objective (RTO) 22 .....................................................................

7.4 Business Continuity Planning (BCP) 22 ...............................................................

7.5 Backup policy 23 .................................................................................................

8. HR Policies 24 8.1 Provisioning Access 24 ........................................................................................

8.2 Training & Development 24 ................................................................................

8.3 Contractors 24 ....................................................................................................

8.4 Onboarding & Offboarding 25 ............................................................................

8.5 Agreements 25...................................................................................................



1. Summary Since its creation in 2011, Ethnio security procedures and policies have evolved according to

industry best practices. This document is intended to give you an overview of Ethnio security

processes, and addresses the security measures we’ve taken to protect each of those

processes (such as secure data collection and disaster recovery). As with many SaaS providers,

particularly in the UX research space, Customers own and control their data. Ethnio treats all

customer data as highly confidential, and has never had a single security breach or unplanned

outage in over seven years of operation. We are constantly evolving along with industry best

practices, and particularly aware of the increased scrutiny our customers face in keeping data safe through vendors they trust. Ethnio intends to continue earning the trust of our

customers by providing clear and up-to-date security information.

1.1 What is Ethnio? Ethnio is a research participant management tool for screening, emailing, scheduling, and

paying participants for research. There are five main modules in Ethnio and each can be used

independently or all together: Pool, Screeners, Intercepts, Scheduling, and Incentives.


Upload / email participants from an existing CSV

Pool

Can include tagging, segments, engagement, etc

Pay people for research

Any country, currency, or language

Incentives

Create a screener link to share

For in-person, remote, or general opt-in

Screeners

Schedule 1:1 or group research

For in-person, remote, or general opt-in

Scheduling

Make a site or native app intercept

iOS, Android, or Web desktop and mobile

Intercepts


1.2 Technical Stack Ethnio currently uses Rails 4.2.11.1 on Ruby 2.51 on Nginx 1.10.3 and Puma with PostgreSQL

9.5.9 and Redis. We’ve used AngularJS for some navigation, editing questions, scheduling and

recruits pages. We use Rails caching based on Redis to show screeners and on marketing

pages. Elastic search is our search engine in pool. Finally, we’re using Sidekiq for background

processing. For monitoring we use New Relic, Monit, and Pingdom, and our uptime

percentage has been 99.96% or higher for over three years: stats.ethn.io

1.3 SSO / 2FA We currently offer both SSO and 2FA as security add-ons for

Enterprise customers. Ethnio highly recommends setting up

these tools to improve application security, however we don’t

force customers to activate both. Based on certain security

flags, the system will force 2FA automatically for risk profiles.

Ethnio currently uses Authy via Twilio for 2FA.


http://stats.ethn.io

https://help.ethn.io/hc/en-us/articles/360003424091-Setting-Up-Single-Sign-On-SSO-SAML-with-Ethnio

https://help.ethn.io/hc/en-us/articles/360027223811-Two-Factor-Authentication-2FA-


2. Compliance / Certifications / Audits Ethnio is committed to keeping the data you share secure and private. As a result, there are a

number of tests and audits Ethnio undertakes to maintain full compliance with current best-

practice security standards.

2.1 SOC2 Type 2 Ethnio stores all customer data in a TierPoint-managed SOC2 Type 2

accredited data center in Dallas, TX. Additionally, Ethnio is under engagement

with A-LIGN for complete organizational SOC2 Type 1 & Type 2 certification

with a target complete dates for both in 2020.

2.3 External Penetration Testing by Cobalt Ethnio completes annual external pen tests to locate and fix vulnerabilities in the

system. This helps us identify common weaknesses across the application and

strengthen our entire security posture.

2.3 GDPR Compliance Ethnio is in full compliance with GDPR. Read more here:

ethn.io/gdpr

2.4 Privacy Shield We like the EU and their privacy principles and Ethnio is EU-US and Swiss-US

certified using the Privacy Shield Framework, certified through October,

2020 and has been in continuous compliance since October, 2017.


https://ethn.io/gdpr


3. Infrastructure

3.1 Data Flow Customers can only access Ethnio through SSL and optionally SSO to use a logged-in Ethnio

client in the browser. The diagram below represents current data flow from that logged-in

client, as well as an ongoing migration to a VPC (Virtual Private Cloud) across two availability

zones in AWS.



3.2 Physical Security

Ethnio uses a TierPoint-managed data center in Dallas, TX, running

a Cisco networking environment. The facility is staffed 24×7 by

technicians who perform all our remote work (e.g. changing drives,

memory or swapping servers). It’s a SAS 70 Type II audited facility in a single-story, single-

tenant building for enhanced control and security.

• Multiple layers of security & authentication; including card key, PIN, & biometric required

for facility entrance

• Intrusion detection systems to prevent unauthorized electronic access

• Firewall management and monitoring services

• Full CCTV surveillance backed by digital recording on file for 90 days

• Remote hands to perform tape rotations and hardware swaps

• Constant management of all environmental systems (power, HVAC, fire, security and IDS)

• Remote monitoring of client equipment

• Locking cabinets and/or cages, Colo4 retains all keys

• Motion detection for lighting

• 30 inch raised floors

• 300 lbs/sq ft floor load

• Redundant HVAC with Liebert air handlers

• Each CRAC unit supported by independent roof mounted condenser

• Wind roof rating FM-90

• 11.1 MW of utility power

• 250 watts/sq ft

• Four (4) autonomous N+1 power plants delivering true A & B power supply

• Four (4) backup diesel generators on standby

• Generators tested bi-weekly and routinely run at full load

• Cabinet laid out for optimum airflow - hot and cold aisles separate exhaust and intake

• Solid cabling routed neatly overhead

• Ambient temperature of 70 degrees

• Pre-action dry pipe fire suppression

• Integrated smoke/heat detector system



3.3 Servers Ethnio has dedicated servers in an isolated cluster at a TierPoint-managed data center in

Dallas, TX with redundant warm mirror on-site, and offsite encrypted backups at another

TierPoint data center in New Zealand. As part of ongoing enhancements to redundancy and

security, Ethnio is migrating to a VPC in AWS with multiple availability zones in 2020.

3.4 Redundancy All Ethnio production infrastructure is built with redundancies in place, both within our

primary data center and off-site at the secondary data center. As mentioned above, Ethnio is

migrating to a VPC (Virtual Private Cloud) across two availability zones in AWS. For exact

timeline and details, contact us at [email protected].

3.5 Networks Ethnio uses three logically and physically separate networks: corporate, development, and

production networks. The corporate network supports internal business functions and the

authentication mechanism is completely separate from the development and production

environments. The development network is designed to support rapid deployment and

product design, as well as QA. No wireless networks are attached to this network.

The production network is located in our TierPoint–managed data center and is designed and

built to be fully redundant. Network infrastructure is also designed to be fully redundant and

fault tolerant. Servers are configured with redundant network interface cards and power

supplies.


http://[email protected]


3.6 Firewalls & DMZ Ethnio uses multiples redundant tiers of protection for hosted customers data. Firewall

systems are in place to filter unauthorized inbound network traffic and deny any type of

network connection that is not explicitly authorized. Network address translation (NAT)

functionality is utilized to manage internal IP addresses. Administrative access to the firewall is

restricted to authorized employees. Redundancy is built into the system infrastructure

supporting the data center services to help ensure that there is no single point of failure that

includes firewalls, routers, and servers. In the event that a primary system fails, the redundant

hardware is configured to take its place.

On all TierPoint Ethnio servers, access control technologies, such as demilitarized zones

(DMZ), encryption techniques, internal firewalls, VPNs, and Virtual Local Area Networks

(VLAN), along with unique user account verifications, access lists, and passwords restrict

unauthorized access to customer hosts and data.

Ethnio employs a web application firewall for protection against DDoS and web application

attacks. Isolated at the network level, Ethnio uses several approaches to detect external

attacks. Common examples of the types of attacks Ethnio firewalls can catch are application-

layer DDoS, SQL injection and XSS. Traffic will be automatically dropped or rerouted. Web

applications firewalls are also configured to restrict any suspicious network traffic. Firewalls

with IDS/IPS capabilities are also enabled (see 4.6 IPS).



3.7 System & Audit Logs Ethnio logs critical system and performance events on our servers, including all access to

sensitive systems, authentication, and data access through all device types including mobile and desktop. Logs are rotated and destroyed on a regular schedule, which is secured with

limited access and regularly reviewed. Sensitive logs are encrypted. Audit logs are generated

for all operating systems and browsers, and encrypted as part of Ethnio’s Github integration.

Log files typically contain timestamp, id, IP address, and other info. Real-time dashboards

provide insight into the log files using advanced analysis techniques. No personal data is

captured in log files, and they are internal only and unavailable to Customers. Sample log:



4. Vulnerability Management Ethnio follows all industry best-practices for vulnerability management, including regular

maintenance and the use of popular tools for identifying vulnerabilities. This includes anti-

malware apps, penetration tests, automated vulnerability scans, and white-hat powered bug

bounty programs.

4.1 Automated Security Scans We currently run several automated security scanning tools, and run

reports at least once per quarter, but often more frequently than that,

especially if we’re deploying major features.

Nmap Network Vulnerability Scan

Snort Intrusion Detection

Hacker One Bug Bounty Program

Qualys Vulnerability Scan

4.2 Penetration Tests Ethnio conducts ongoing penetration testing on the production environment as well as manual

external penetration testing using the Cobalt platform. Penetration testing is conducted to

measure the security posture of a target system or environment. Cobalt uses an accepted

industry standard penetration testing methodology. Cobalt’s approach begins

with a vulnerability analysis of the target system to determine what

vulnerabilities exist on the system that can be exploited via a penetration test,

simulating a disgruntled/disaffected insider or an attacker that has obtained

internal access to the network. Vulnerability scanning is performed throughout

the year by Cobalt or a similarly accepted provider.



4.3 Remediation Remediation plans are included immediately after yearly pen tests and can be found here:

ethn.io/docs/remediation.pdf

4.3 Code review prior to deployment Every pull request in Ethnio is managed and approved by multiple developers, in line with

industry best developer practices. This ensures Ethnio can monitor third party libraries and

code as part of ongoing vulnerability management. We use Github, and perform both manual

and automated code review to identify security defects prior to production release. This helps

Ethnio identify and address any issues prior to deployment. See Section 5.7 for more information on SLDC.

4.4 Data Transmission All data is encrypted in transit via SSL with an A rating on SSL / TLS settings from SSL labs:

ssllabs.com/ssltest/analyze. Ethnio maintains an updated certificate and can require secure

access at customer’s request.

4.5 Remediation, Notification, & Reporting As part of ongoing vulnerability remediation, Ethnio is required to provide updates to

Customers about any security or privacy issues that may affect Customers in updates.ethn.io.

Customers may subscribe to any category, such as Security, to receive ongoing email updates.

We create remediation plans as necessary to address high risk vulnerabilities within 15 days

and moderate risk vulnerabilities within 30 days.


https://ethn.io/docs/remediation.pdf

https://www.ssllabs.com/ssltest/analyze.html?d=ethn.io&latest

http://updates.ethn.io


4.6 Intrusion Detection System (IDS) Ethnio employs several systems on the network where customer data is stored. We use a

packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to

detect a dangerous payload or suspicious anomalies. Through protocol analysis and content

searching and matching, we detect attack methods, including denial of service, buffer

overflow, CGI attacks, stealth port scans, and SMB probes. When suspicious behavior is

detected, the Ethnio security team receives a real-time alert. In addition to custom tools,

Ethnio uses the Snort, OSSEC, and NIDS (network intrusion detection system).

In addition to IDS, Ethnio uses an isolated Intrusion Protection System (IPS) for proactive

network traffic blocking if malicious traffic is detected. The Ethnio IPS is a second layer of

security, which will block access as soon as any suspicious login activity is detected.

4.7 Vendor Risk Assessment Risk assessment is fundamental to the initial decision of whether or not to enter into a vendor relationship. The evaluation of a third party may include the following:

• Technical and Industry Expertise • Operations and Controls: complete and timely access to the information • Compliance: Ethnio reviews TierPoint’s SOC2 assessment annually • Financial condition: enough to support the required level of service • Contract issues: addressing the vendor’s responsibility for security and confidentiality

Ethnio will assess the vendor’s experience and ability to provide the necessary services for current and anticipated needs and operating environments. The vendors duration in business and reputation will also be considered and evaluated to check performance history.

Where possible, Ethnio will take into account the adequacy of a vendor’s standards, policies and procedures relating to internal controls, facilities management (access requirements, sharing of facilities, etc.), security (systems, data, equipment, etc.), privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance and employee background checks.



Ethnio will not enter into an agreement with a vendor if there are significant litigation, or regulatory actions against the vendor that might impact the relationship and performance of the service. When entering into a contract it is management’s responsibility to ensure that the performance standards are addressed within the vendor contract, and will review/sign off on the vendor risk assessment.

For key vendors, risks will be identified, documented, and prioritized relating to the vulnerabilities and threat they pose.

4.7.1 REMEDIATION & TRACKING

Where practical, vendor contracts should contain a provision for the resolution of disputes in a timely manner. The contract should also provide for the continuation of services during the dispute resolution period. Ethnio also maintains a record of any security issues that arise from vendors.

4.8 Data Loss Prevention (DLP) In addition to the four main active efforts to protect against

data loss; Backups, Encryption, Monitoring, and Disaster

Recovery planning, Ethnio also runs Nightfall AI integrated

with Github via API.

ThreatInherent

RiskImpact Likelihood Mitigating Controls

Residual Risk

Conclusion / Possible Additional Counter

Measure

Management interface APIs

Medium Low MediumDirectly monitoring

web applicationsMedium Reviewing API portals

Financial condition High Medium MediumConsider the required

level of serviceCheck existing litigation

or regulatory actions.

Operations and Controls

Medium Medium MediumComplete access to

informationMedium

Consider adequacy of a vendor’s facility

Physical Security High High LowTierPoint SOC2

managed data centerHigh

Access only by role requirements



5. Data & Security Policies Ethnio only acts as a Data Processor (a company that processes Personally Identifiable

Information on behalf of a Data Controller) so that each Ethnio Customer acts as a Data

Controller (a company that determines the purposes for which, and the means by which, the

Personally Identifiable Information is processed).

To process information means to carry out an operation or set of operations on the

information, such as collecting, recording, storing, disclosing, or organizing it. Information that

Screener Respondents provide to Ethnio Customers passes through our service and resides on

our servers, in the most secure manner adhering to industry guidelines. That information may

be stored and processed in the United States or any other country in which Ethnio or its

affiliates, subsidiaries or agents maintain facilities.

The full list of privacy terms can be found here: ethn.io/privacy.

5.1 Data Handling & Disposal Customers have full control over data expiration, retention, and deletion. Ethnio offers detailed

automatic data expiration options per GDPR compliance. This is covered in detail here:

ethn.io/data_retention_and_expiration. The types of data deletion Ethnio offers are as

follows:

• Delete an individual source from Pool (e.g. Upload)

• Delete a single response

• Delete multiple responses

• Delete an entire screener (all related data)

5.2 Development Environment We use a secure Github repository, and all code is deployed and tested in a staging

(development) environment that is functionally equivalent to the production environments. No

Customer Data is used in the staging environment.


http://ethn.io/privacy

https://ethn.io/data_retention_and_expiration


5.3 Security Hardening With only the SSL-encrypted Github repositories, Clubhouse task management, and

Rimuhosting secured data facility in Dallas, the Ethnio system has the most limited points of

vulnerability. We can offer a Tripwire audit at additional cost.

5.4 Version Control Version control software is utilized to maintain source code versions and migrate source code

through the development process to the production environment. The version control software

maintains a history of code changes to support rollback capabilities and tracks changes to

developers. Ethnio uses Git to manage changes in the codebase, which is also industry

standard.

5.5 Remote Access & Key Management The only remote access to Ethnio servers is through the SSH. Each developer has a unique

cryptographic key and access is closely monitored. We also require two factor authentication

and the entire workflow from key generation to revocation is controlled as part of Ethnio’s

Employee and Device Access policies. Ethnio rotates keys at least once per year.

By default, customers have zero access to cryptographic keys. Upon request, customer may

request single tenancy as part of AWS infrastructure, and their own keys, but this is a custom

Enterprise add-on.

5.6 Employee & Device Access No Ethnio employees can gain access to servers using their mobile device. If an employee is

terminated, accounts are immediately removed from all data sources - Rimuhosting,

Clubhouse, Github, etc. Device wipes are performed manually.



5.7 Change Control & SDLC

Ethnio maintains documented Systems Development Life Cycle (SDLC) policies and

procedures to guide employees in documenting and implementing application and

infrastructure changes. Change control procedures include change request and initiation

processes, documentation requirements, development practices, quality assurance testing

requirements, and required approval procedures. All the software that Ethnio employees use

during the normal course of business is from large SaaS providers like Google, Github, and

Gusto. Ethnio reviews application acquisition along with all key policies annually, but Ethnio

relies on SaaS providers for tight control access and remote onboarding/offboarding for all

employees. Additionally, Ethnio requires compliance and certification from our key SaaS

providers like SOC2 Type 2 reports or PCI compliance.

Quality assurance testing and User Acceptance Testing (UAT) results are documented and

maintained with the associated change request. Management approves changes prior to

migration to the production environment and documents those approvals within the ticketing

system.

Ethnio has also implemented a patch management process to ensure contracted customer and

infrastructure systems are patched in accordance with vendor recommended operating

system patches. Ethnio reviews proposed operating system patches to determine whether the

patches are applied. Ethnio is responsible for determining the risk of applying or not applying

patches based upon the security and availability impact of those systems and any critical

applications hosted on them. Ethnio staff validate that all patches have been installed and if

applicable that reboots have been completed.



5.8 SDLC Security As part of each phase in Ethnio’s secure development lifecycle, there are manual industry-

standard tools and automated checks for security defects or data corruption. This includes

Ethnio policies that require all vendors to adhere to industry standards for SDLC security, as

well as the following:

• Automated – Codacy for automated source code analysis

• Manual – Github settings for all Ethnio repositories require code review, including manual

source code analysis, prior to any production pull request being approved

5.9 Data Security & Integrity Data integrity refers to the reliability and accuracy of data over its lifecycle. Compromised

data is of little use to Ethnio or customers, not to mention the dangers of sensitive data loss.

For this reason, maintaining data integrity is a core focus of Ethnio, including both of the

following policies:

• Manual – To prevent application or database errors, corruption, or misuse, Ethnio uses go data integrity (godi) or similar tools

• Automated – Ethnio uses pgcheck within PostgreSQL, which is the primary database.



6. User Account Administration Please find below all the ways that Ethnio and Customer can control authentication & access

to Customer Data using Ethnio

6.1 Account Types Within Ethnio application accounts, there are three roles where Customers have powerful fine-

grain permission control over each role. Those permission controls include business function

and limiting access to Ethnio Data by access role. The three roles are:

1. Owner 2. Team member 3. Admin

On a system level, there are three types of accounts in the Ethnio infrastructure - application

accounts available to the public, paid accounts, and administration accounts. Administration

accounts are only issued to Ethnio employees and require encrypted passwords. The other two

account types allow user-selected passwords and are stored with a hash in the MySQL DB.

The identity of users must be authenticated before providing them with account and password

details.

6.2 Password Management & Policies Ethnio follows strict password rules across both system and end user accounts. We do not

send passwords via email and offer unique password reset links - standard industry best

practice. Our password requirements are currently 8 character minimum, at least one

uppercase, one symbol (!,$,#,@,etc), and one number.



6.3 Shared & Stale Accounts Use of shared accounts is not allowed, and we use IP-tracking to prevent this practice, as well

as 2FA. There are also scheduled system routines in place to check for inactive accounts after

a defined grace period, which varies by account type. For example, self-service accounts are

allowed to remain stale for longer than Enterprise accounts.

6.4 API & System Standards Access to Ethnio via secure token in the API may grant access to certain customer-defined

data associated with a given screener, but that is entirely up to each customer and their user of

the API. For example, if customer wishes to send responses from a screener to

UserTesting.com, Ethnio may pass that data securely. More information on this can be found

here: [email protected].

6.5 Account Cancellations & Permanent Deletion For any permanently cancelled Customer account, Ethnio will automatically and permanently

wipe all customer data from all servers within 24 hours of account deletion, including backup

servers and sub-processors. The Customer will receive an email notification immediately upon

deleting their account.

6.6 Access Requests The approval process for handling system or application access requests goes through the

senior developer team manually.

6.7 Identity and Access Management Process (SSO) If customer enables access to Ethnio using SSO, Ethnio offers account provisioning and

deprovisioning through an automated system. Ethnio account owners or admins can easily

manage access privileges for a variety of users in the account.


http://[email protected]


7. Disaster Planning

7.1 Disaster Recovery Plan We maintain a separate policy for our disaster recovery plan, which also covers Business

Impact Analysis (BIA) and Business Continuity Planning (BCP). You can find that below:

Full Ethnio Disaster Recovery Plan: ethn.io/dr

7.2 Physical Facility Remote backups are performed regularly and stored in a different physical location from the

main servers. TierPoint and Rimuhosting provide UPS, generators, and real-time monitoring.

Backups off-site are stored in our secondary data center in New Zealand that use the same

industry standard AES256 encryption as the primary hosts.

7.3 Recovery Time Objective (RTO) Ethnio has taken action to minimize the risk of data loss. Ethnio’s Recovery Time Objective of

24 hours to resume normal operations in the event of a disaster, with the goal of a full data

restoration in the same time due to our robust data center security.

7.4 Business Continuity Planning (BCP) Ethnio has been designed to be recoverable and robust with physically separated servers. As

an additional safeguard to the main center, Ethnio uses a warm mirror up-to-the-second data

center to support a speedy recovery of critical data.



7.5 Backup policy There are three primary methods of backups that Ethnio employs:

1) Warm database backups updated every second on a dedicated mirror

2) On-site daily backups

3) Remote backups performed every few hours and stored in a different physical location

from the main servers. TierPoint and Rimuhosting provide UPS, generators, and real-time

monitoring. Backups off-site are stored in our secondary data center in New Zealand that

use the same industry standard AES256 encryption as the primary hosts.



8. HR Policies Ethnio holds all new hires to rigorous standards of talent, references, and verified track

records. Ethnio follows strict privacy guidelines, and may use Hire Right to perform

background checks. Upon hire, employees are required to

sign multiple agreements which addresses the risks of

dealing with sensitive data.

8.1 Provisioning Access Access to administrative tools and customer accounts are closely controlled by Ethnio to

ensure appropriate authorization. Employees are only given access to production

environments or customer data for proven essential job duties, and all access is reviewed

through administrative controls. Additionally, employees must complete training and pass a

series of internal checks. When access is removed, logs are kept in the appropriate tool or

system.

8.2 Training & Development Ethnio employees undergo training on company policies, privacy, and security practices. This

training includes network security, device security, all aspects of customer and organizational

privacy, and password and 2FA management. All employees are instructed to report potential

security incidents to [email protected]. Training also covers mobile devices of all kinds, and

what can be used to access Ethnio system data, including BYOD (bring your own device)

requirements and regulations, systems allowed for use or access, and understanding around

Ethnio oversight and litigation.

8.3 Contractors All contractors submit references and full contractor agreements with verification of

employment status. New contractors with engineering tasks are given specific limitation to

production environment.



8.4 Onboarding & Offboarding In addition to training, role-based onboarding includes seat provisioning

for any critical internal Ethnio tools if applicable, and can be revoked

during offboarding or when an employee no longer requires access.

Additionally, Ethnio uses Gusto for managing HR compliance, documents,

and policies. This offers direct access to certified HR experts, via the HR Support Center, and

includes encryption for all employee data. Additionally, Ethnio relies on the Google Suite to log

and provision employee access for both onboarding and offboarding.

8.5 Agreements Every employee and contractor signs comprehensive agreements with Ethnio covering

confidentiality, customer data access, intellectual property, essential duties, exempt status,

appropriate employment law, and standard clauses for all employment types. One employee

stubbornly refuses to sign any agreements, and Ethnio has been working for years to convince

Sela, pictured below, to sign. If you see this princess, ask her to sign.


Documents

Security White Paper - ethnio · Ethnio Security White Paper 1. Summary Since its creation in 2011, Ethnio security procedures and policies have evolved according to industry best