Last Updated – September 17, 2018
Within this document, the following definitions apply:
To outline Feathr's information security structure.
a) Feathr employs full-time dedicated trained/certified security Personnel responsible for information security.
b) The information security function reports directly to the Feathr engineering leadership team.
c) Feathr has a comprehensive set of information security policies, approved by senior management and disseminated to all Personnel.
d) All Feathr Personnel have signed legally reviewed confidentiality agreements.
To demonstrate Feathr's commitment to manage the assessment and treatment of these risks and to continually improve its information security.
a) Feathr has deployed an ISMS (Information Security Management System) that serves as the foundation of our information security practices.
To protect the physical assets that contain Client Data.
a) Feathr is housed with the Amazon Cloud environment. Amazon’s description of their data center physical security controls can be found here: https://aws.amazon.com/compliance/data-center/controls/
To ensure systems containing Client Data are used only by approved, authenticated users.
a) Access to Feathr is granted only to Feathr Personnel and access is strictly limited as required for those persons to fulfill their function.
b) All users access Feathr with a unique identifier.
c) Feathr has established a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered. All passwords must fulfill defined minimum complexity requirements and are stored in encrypted form. That password policy is enforced through an enterprise grade Password Management System.
d) Feathr has a comprehensive process to deactivate users and their access when Personnel leaves the company or a function.
e) All access or attempted access to systems is logged and monitored.
To ensure Personnel entitled to use systems gain access only to the Client Data that they are authorized to access.
a) As a matter of course, Feathr Personnel do not access Client Data unless it is necessary for the execution of Client initiated and requested activity.
b) Feathr restricts Personnel access to Client Data on a "need-to-know” basis based on this justification.
c) Each such access and its subsequent operations are logged and monitored.
d) Personnel training covers access rights to and general guidelines on definition and use of Client Data.
To ensure Client Data is not read, copied, altered or deleted by unauthorized parties during transfer/storage.
a) Client access to the Feathr portals are protected by the most current version of Transport Layer Security (TLS).
b) Feathr relies on Amazon Cloud controls for the destruction of media. An outline of these controls can be found at: https://aws.amazon.com/compliance/data-center/controls/
To ensure Client Data remains confidential throughout processing and remains intact, complete and current during processing activities.
a) Feathr has a formal background check process and carries out background checks on all new Personnel.
b) Feathr trains its engineering Personnel in application security practices and secure coding practices.
c) Feathr has a central, secured repository of product source code, which is accessible only to authorized Personnel.
d) Feathr has a formal application security program and employs a robust Secure Development Lifecycle (SDL).
e) Security testing includes code review, penetration testing, and employing static code analysis tools on a periodic basis to identify flaws.
f) All changes to software on Feathr are via a controlled, approved release mechanism within a formal change control program.
To ensure Customer Data is protected from accidental destruction or loss, and there is timely access, restoration or availability to Client Data in the event of a Feathr incident.
a) Feathr is housed in Amazon’s US East Region across multi-availability zones.
b) Feathr maintains a robust Business Continuity/Disaster Recovery program including
c) Feathr maintains multiple, redundant database backups for both short term point-in-time data restoration, as well as long term contingency planning and mediation. Feathr performs a regular cadence of weekly and monthly restoration tests to ensure the backups are functional.
To ensure each Client's Data is processed separately.
a) Feathr uses logical separation within its multi-tenant architecture to enforce data segregation between customers.
b) In each step of the processing, Customer Data received from different Customers is assigned a unique identifier so data is always both physically and logically separated.
In the event of any security breach of Client Data, the effect of the breach is minimized and the Client is promptly informed.
a) Feathr maintains an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified as incidents and response plans and procedures.
b) Feathr regularly tests its incident response plan with “table-top” exercises and learns from tests and potential incidents to improve the plan.
c) In the event of a security breach, Feathr will notify Clients without undue delay after becoming aware of the security breach
To ensure Feathr regularly tests, assesses and evaluates the effectiveness of the technical and organizational measures outlined above.
a) Feathr conducts regular internal and external audits of its security practices.
b) Feathr ensures that Personnel are aware of and comply with the technical and organizational measures set forth in this document.