Version 2.9 - Effective from May 2022

Social Pinpoint (SPP) understands the importance of an effective information security management system to protect the confidentiality, integrity and availability of all information assets from potential threats.

Our strong commitment to security is reflected in the implementation of our security policies, processes, controls and alignment and compliance with international standards.

The Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.

Security Policies

SPP has established an information security policy foundation, as part of its Information Security Management System (ISMS) to provide clear guidance for management and staff in order to protect the confidentiality, integrity, and availability of customer data. SPP maintains, regularly reviews and updates its information security policies on a regular basis.

Compliance

Information Security

SPP has achieved ISO 27001 certification. The certification process involves an extensive independent, expert assessment of an international set of standards for developing an Information Security Management System (ISMS) to ensure that our systems effectively identify and manage security risks with the entire organization.

A copy of the ISO 27001 certificate can be provided by SPP upon request.

Privacy

SPP respects the rights and privacy of all individuals and is committed to protecting the personal information it holds and complying with various Privacy Acts and Principles including Europe’s General Data Protection Regulation (GDPR).

Click here to read our full privacy policy.

Technical review

SPP undertakes annual independent penetration testing of its product, services and infrastructure. The last penetration test was performed in November 2021.

In addition, security and penetration testing has been performed on the service, organized by the customer themselves. Several customers have undertaken a security audit and penetration tests of the service within the last 24 months.

Each customer has various standards with regards to the frequency of security and vulnerability testing. Some customers test annually, others test more frequently, such as monthly. Additionally, we are often subject to penetration tests before sites are launched. Overall, the application would be subject to many security and vulnerability tests over the course of a year, and any remediation work entailed would be applied to all customer sites and infrastructure.

Data Hosting and Physical Security

SPP utilizes the public cloud to develop, build and deploy all its infrastructure and services. Specifically, SPP utilizes Amazon Web Services (AWS) for all its cloud hosting and server infrastructure.

All data, including backups, are hosted within the customers' federal jurisdiction, or the closest acceptable location. For instance, American customers are hosted within a data center in Oregon, USA, and Canadian customers are hosted within a data center in Montreal, Québec, Canada. Australian and New Zealand customers are hosted within a data center in Sydney, NSW, Australia. European customers are hosted within a data center in Ireland.

The AWS Data Centers that host SPP's customer information assets are housed in secure nondescript facilities and physical access is strictly controlled both at the perimeter and at the building ingress points.

Personnel Security

All SPP personnel are required to complete a Police Check and undergo other identity and background screening checks at the time of hire. In addition, SPP communicates its information security policies and conducts specific security training for all personnel.

All new personnel are required to acknowledge and sign non-disclosure and confidentiality clauses as part of their employment agreements.

Asset Management

SPP information assets are managed in accordance with its information security and asset management policies. which includes the identification, classification, labeling, handling, retention, and disposal of information and assets.

Access Control

Administration

SPP has established an Access Control Policy and procedures, which outlines the general principles of access control, including how personnel should be provided access to SPP premises, applications, and networks and infrastructure.

SPP grants access initially with least privilege rules, reviews permissions regularly, and revokes access immediately after employee termination.

SPP has established a Password Management Policy, which outlines how passwords should be selected by personnel and managed within SPP applications.

SPP personnel access to The HiVE requires multi-factor authentication.

Server access

The HiVE server infrastructure is protected by network security and solutions (AWS VPC controls) to secure data at rest. All production servers are in a private subnet -there is no ability to connect to the servers directly.

A select number of authorized staff have access to manage infrastructure and services as well as create, modify and delete data. Access and authentication to SPP servers requires the use of a valid SSH key via a jump host.

User and role based access

Only privileged access is granted to personal or submission data through the platform. Privileged access is restricted and controlled through role-based access and user group permissions.

Each group and role have different permissions and access to different features of the platform. Additionally, access control within The HiVE can be customized for each user role if required.

User passwords

The HiVE provides the ability to establish minimum complex password requirements. Complex passwords can include several requirements such as:

• Minimum length
• Maximum length
• Uppercase characters
• Lowercase characters
• Numbers
• Special Characters

All passwords stored in the database are hashed.

Managing user access

Site Administrator accounts within The HiVE can manage all user accounts including adding new users and deactivating old user accounts. Site Administrators are responsible for maintaining and reviewing all user accounts and access.

Encryption

Data in-transit

The HiVE uses Transport Layer Security (TLS) encryption (also known as HTTPS) for all transmitted data, including user submissions and reporting. Internal API requests are required to pass through a secure gateway and are validated via an encrypted JSON Web Token (JWT).

Data at-rest

The HiVE uses Amazon’s Aurora Cloud Database Service for its cloud database storage. Each Aurora instance has encryption enabled meaning data is encrypted at rest, including the underlying storage for a database (DB) instance, its automated backups, read replicas, and snapshots. This capability uses the open standard AES-256 encryption algorithm to encrypt the data.

Software Development

SPP has established a Secure Development Policy which outlines how development and operational activities should be managed and conducted in a secure manner.

Development, testing, and production environments are separated. SPP uses a strict development workflow to test all new releases. All application changes must be peer reviewed, tested and accepted prior to deployment into the production environment.

All SPP source code is stored within a dedicated and secure code repository.

Backup and Recovery

SPP's databases are protected by backups of the database and files occurring every 24 hours. This service is intended for the purposes of Disaster Recovery relating to data corruption.

Backups of the data are stored in the same region as the customer's production data. SPP uses AWS S3 for data and backups, and for redundancy purposes S3 objects are stored across multiple devices spanning a minimum of three Availability Zones.

Furthermore, SPP maintains a formal Business Continuity & Disaster Recovery Plan (BCP). The BCP is tested and updated on a regular basis to ensure its effectiveness in the event of a disaster.

Data restoration is only possible from the time of the nearest daily recovery point closest to the corrupting incident.

Logging, Monitoring and Availability

Logging

The HiVE stores a range of logs at both the infrastructure and application levels.

Infrastructure logs are sent to and ingested by a centrally managed application and are kept on a 90-day rolling cycle. Access to the application logs is controlled and limited to authorized staff who have a valid login.

The HiVE application logs a number of events related to the following key functions:

• User events
• Page events
• Block (content editing) events

Application event logs are kept indefinitely, unless the service requires historic event logs to be archived due to size concerns. By default, application events can only be accessed by authorized SPP administrators via the dashboard and downloaded via csv.

SPP will provide customers with reasonable assistance and access to logs in the event of a security incident impacting their site and data.

Monitoring

The Server infrastructure, application and automation scripts are continually monitored, and internal staff are notified via email and instant messaging of any exceptions or downtime.

Availability

SPP will use commercially reasonable efforts to provide a Service that has a Monthly Uptime Percentage of at least 99.9%, unless otherwise noted within the terms of the contract agreement. Ongoing monitoring of the Service is undertaken by SPP to calculate uptime however the uptime percentage does not include any time for scheduled maintenance.

Information Security Incident Management

SPP has established an Information Security Incident Management Policy which outlines SPP's methodology for identifying, investigating, resolving and reviewing all types of information security incidents.

If a security incident has occurred or is suspected we would follow the following process:

1. Contain - Our immediate goal, once a security incident has been discovered, would be to immediately take action to limit the incident or breach.

2. Assess - We would gather and evaluate as much information about the incident or data breach as possible. This would include:

a. A determination of the impact and number of affected users

b. The types of personal information involved in the data breach

c. The circumstances of the data breach, including its cause and extent

d. The nature of the harm to affected individuals, and if this harm can be removed through remedial action

3. Notify - We would notify the customer as soon as the incident has been contained and assessed. If the security incident was ongoing, or the assessment was taking longer than expected we would provide the customer continual updates as to the status of the incident.

4. Review - We would undertake a review of the incident, to better understand its root cause and determine methods for preventing similar incidents in the future.

5. Incident Management Report - Lastly, a report would be supplied to the customer to formally document and outline the cause of the incident, the duration, impact, resolution and future prevention methods.

Additional information

For additional information regarding security and privacy please refer to the Terms of Service provided to each customer or contact SPP directly to discuss.