Sponsorship Buddy will use commercially reasonable efforts consistent with, and no less rigorous than, best industry practices to ensure that appropriate facility and data security procedures and processes are in place to protect against destruction, corruption, loss or alteration of, unauthorized access to, or interference with, any of the customer’s production and other data, accounts, systems, confidential information or customer data created and generated through the use of the Sponsorship Buddy software.
Data Storage and Isolation
Sponsorship Buddy will not store the customer’s data on unencrypted portable media such as laptop computers, external hard drives, USB drives, or other portable devices. The customer’s data will be properly segregated from all third party data.
Access to customer data is restricted to appropriate personnel. The appropriateness is established based on role and the principle of least privilege. Only DBAs, System Engineers and System Administrators may access production application environments containing customer data. Developers, Support personnel and Quality Assurance may require access to non-production environments containing customer data in order to ensure application performance or to troubleshoot a reported customer issue. Support access to troubleshoot data-specific issues is granted explicitly by the customer and provisioned temporarily using automated tools and mechanisms.
Vulnerability Scans and Testing. Sponsorship Buddy will perform regularly scheduled vulnerability assessments on the Sponsorship Buddy software. Results from these assessments are internally escalated, planned, prioritized and remediated. Sponsorship Buddy will use application and system logging processes, and these logs will be stored, protected and reviewed on a regular basis. Systems will be scanned regularly for vulnerabilities, which will be prioritized and patched according to corporate policy.
If a third party should request that Sponsorship Buddy disclose a customer’s data pursuant to a subpoena, summons, search warrant, court or governmental order, Sponsorship Buddy will provide the customer with immediate notice and, to the extent permissible by law, a reasonable opportunity to oppose release of the data prior to releasing any such data. If any disclosure is finally directed by a lawful order, Sponsorship Buddy will disclose only so much of the data as is necessary to meet the requirements thereof.
Data Location and Redundancy
Customer application data resides in Sponsorship Buddy’s collocated data center facilities. Collocation facilities are located in the US, are replicated in real time and act as primary data site with a warm failover. This ability to deliver support services globally provides our customers with around-the-clock availability and performance.
By default, Sponsorship Buddy document storage is provided on Amazon’s Simple Storage Service (S3) platform in US regions. Commitments to encryption, data security, confidentiality and availability are maintained at standards that meet or exceed those established with Sponsorship Buddy.
Amazon Web Service (AWS)
AWS environments are configured with multiple Availability Zones (AZs) within each given region. These AZs distribute documents between various physical locations within an AWS region. AZs are designated by environmental tolerance. While they exist in the same AWS region, they do not share power grids, flood plains, fault lines, etc. with the other physical locations within the same region. Each Sponsorship Buddy instance is also replicated to a separate region in order to provide additional failover and redundancy. For additional information on AWS regions and AZs, please visit http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html.
Through The use of the Sponsorship Buddy application data may be transferred and stored in order to provide the intended service. The following data categories apply to the types of information transferred and stored by the Sponsorship Buddy platform.
Sponsorship Buddy performs regular reviews of the security in the Amazon platform. Sponsorship Buddy understands the ‘Shared Responsibility Model’ and designs its security controls with these requirements in mind.
Document Storage. Sponsorship Buddy document storage leverages Amazon’s S3 by default. Providing this functionality on S3 allows customers significant storage scalability. No customer registration is required. Documents are stored in Sponsorship Buddy application buckets within Amazon’s S3 platform. Access safeguards are applied to these buckets just as they are for any and all application environments.
Customers remain responsible for the security of the data uploaded to Sponsorship Buddy. The data protection is facilitated in a shared responsibility approach between Sponsorship Buddy and Amazon. Additional details can be found here: https://aws.amazon.com/compliance/shared-responsibility-model. Annually, Sponsorship Buddy obtains control requirements for meeting Amazon’s designed control objectives (User Control Considerations) and ensures that appropriate compensating controls are operating effectively in the environment.
Partner Plug-ins and Connectors
Sponsorship Buddy may recommend various partner solutions for delivering strategic integrations with independent vendor applications. Safeguards for the tools built and implemented by Sponsorship Buddy partner solutions are established and maintained by the partner. Sponsorship Buddy does not include these plug-ins and connectors during control performance or application penetration testing. Any additional information related to the security of these partner plug-ins and connectors should be addressed to the partner.