FourSight Security Policy
Last Modified: April 11, 2022
FourSight takes the security of your data very seriously. Please write to firstname.lastname@example.org if you have any questions about our security and we will respond as quickly as we can.
- Definitions Unless otherwise defined herein, capitalized terms and expressions used in this Policy shall have the following meaning:
- STAFF means our partners, employees and contract personnel
- SYSTEM means the foursightonline.com website and its affiliated subdomains
- DATA means data our customers and their users enter into the SYSTEM
- Confidentiality FourSight enforces strict controls on ourSTAFF's access to DATA. We are committed to ensuring that DATA is seen only by those that should have access.
The operation of the SYSTEM requires that some STAFF have access to the systems which store and process DATA. For example, in order to diagnose a problem, you are having with the SYSTEM, we may need to access your DATA. These STAFF are prohibited from using these permissions to view DATA unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to DATA is logged.
All of our STAFF are bound to our policies regarding DATA and we treat these issues as matters of the highest importance within our company.
- Personnel Practices FourSight conducts background checks on all STAFF before onboarding, and STAFF receive privacy and security training during onboarding as well as on an ongoing basis. All STAFF are required to read and sign our comprehensive Information Security Management System policy covering the security, availability, and confidentiality of the SYSTEM.
- Compliance The following security-related audits and certifications are applicable to the SYSTEM:
PCI: FourSight is not currently a PCI-certified Service Provider. We are a PCI Level 4 Merchant and have completed the Payment Card Industry Data Security Standard’s SAQ-A, allowing us to use a third party to process your credit card information securely.
The cloud based platform that hosts the SYSTEM maintains multiple certifications for its data centers, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website and the AWS Compliance website.
- Access Logging Detailed access logs are available internally to FourSight administrators. We log every time an account signs in, noting the type of device used and the IP address of the connection.
Administrators can review consolidated access logs for any organization. We also make it easy for administrators to remotely terminate connections to the FourSight platform at any time, on-demand.
- Anonymization of Customer Data FourSight provides the option for users and assessment participants to anonymize participant data at any time. FourSight platform backups are destroyed within 92 days.
- Data Encryption In Transit The SYSTEM supports the latest recommended secure protocols to encrypt all traffic in transit. We monitor the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.
- Availability We understand that you rely on the SYSTEM to work. We’re committed to making FourSight a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers.
- Disaster Recovery DATA is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have tested backup and restoration procedures, which allow recovery from a major disaster. DATA and our source code are automatically backed up every 2 hours. The Operations team is alerted in case of a failure with this system.
- Network Protection In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices. Port access is managed by AWS security groups with only necessary ports open for connections
- Host Management We perform automated vulnerability scans on our production hosts and remediate any findings that present a risk to our environment. We enforce screens lockouts and the usage of full disk encryption for company laptops as well as requiring anti-virus software.
- Logging FourSight maintains extensive, centralized logging in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the SYSTEM. These logs are analyzed for security events via automated monitoring software, overseen by the security team. All logs are retained for 15 days.
- Incident Management & Response In the event of a security breach, FourSight will promptly notify you of any unauthorized access to your DATA. FourSight has incident management policies and procedures in place to handle such an event.
- Product Security Practices New features, functionality, and design changes go through a security review process facilitated by the security team. In addition, our code is audited with automated testing prior to being deployed to production. The security team works closely with development teams to resolve any additional security concerns that may arise during development.