All Customer Data Security

At EZYiD we take the protection of customer data extremely seriously. This Security Policy describes the organisational and technical measures we have implemented in our platform, processes and systems designed to prevent unauthorized access, use, alteration or disclosure of user data. The core EZYiD services operate on the Google Cloud Platform (“GCP”) and this policy describes activities of EZYiD within GCP unless otherwise specified. We recommend you also review our User Agreement and Privacy Policy.

 

Compliance

  • EZYiD undertakes regular reviews of its processes, procedures and software application to ensure everything we do meets stringent international quality and security standards.
  • Google Cloud Platform is compliant with a range of standards including ISO/IEC 27001 as outlined in their website.

 

Infrastructure

  • All of our services run in the cloud and hosted using Google Cloud Platform (GCP). EZYiD does not run our own physical servers or networking infrastructure.
  • All of our services and data are hosted in GCP facilities in the United States and protected by GCP security, as described at https://cloud.google.com/files/gcp-trust-whitepaper.pdf

  • EZYiD services have been built with disaster recovery in mind, as described in our business continuity plan, ensuring we meet our availability targets as defined in our service levels.
  • Google does not disclose the location of its data centres. As such, EZYiD builds on the physical security and environmental controls provided by GCP.
  • All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorised requests getting to our internal network.

 

Data

  • All user/customer data is stored in the United States of America.
  • Customer data is stored in multi-tenant datastores;
  • We do not have individual datastores for each customer. However strict privacy controls exist in our application code that are designed to ensure data privacy and to prevent one customer from accessing another customer’s data (i.e., logical separation).
  • EZYiD engages certain third parties to process customer data. These third parties are listed at the end of this policy and will be updated from time to time.
  • All data collected in the database and in backups are encrypted at rest (AES256).

 

Data Transfer

  • Our API and application endpoints are TLS/SSL only (TLS1.2).
  • All data sent to from EZYiD is encrypted in transit using TLS/SSL (TLS1.2).

 

Authentication

  • EZYiD is served 100% over https.
  • We have two-factor authentication (2FA) and strong password policies on all cloud services use in the hosting and development of EZYiD.

 

Web Application firewall (WAF)

  • The WAF helps secure the application by blocking common web application threats.
  • The WAF is implemented to mitigate automation threats (DDoS), block malicious bot abuse and prevent customer data being breached.

 

Security audits and penetration testing

  • We annually engage with third party auditors to audit our application, and work with them to resolve potential issues
  • EZYiD’s annual internal and external audits with third party auditors occur regarding our information security management system.
  • For security and confidential reasons, we do not divulge or share any information or penetration test results.

 

Password Policy

  • All passwords stored by the application are salted and hashed using algorithm such as BCrypt, etc. They cannot be retrieved only reset.
  • Password resets are emailed to the account holder, to verify before the password can be reset.

 

Security awareness training

  • Annually all employees undertaken security awareness training as part of our security calendar.
  • All employees sign a non-disclosure agreement outlining their responsibility in protecting customer data.

 

Data breach incident response

  • In the case of a security incident, an incident and response plan is followed, which provides guidance and the associated steps to follow in the event that EZYiD suspects or becomes aware that a data breach has occurred.
  • This plan is ensuring we contain, assess and manage a data breach in a timely fashion and in compliance with relevant legislative requirements to mitigate any potential harm to affected individuals.
  • The plan includes an assessment report that contains key tasks, roles and responsibilities, checks and procedure for notification in the event of a data breach.

 

Security Policies and procedures

The following security policies are followed in the development, support and hosting of EZYiD:

  • Access Management Policy – The purpose of this policy is to define the approach for user access management to EZYiD networks, systems and applications in order to prevent unauthorised access, and ensure that effective controls are in place so that all users and their actions can be uniquely identified.
  • Asset Management and Disposal Policy – EZYiD is committed to protecting its information assets from the loss of confidentiality, integrity and availability. The purpose of this policy is to define the mechanisms for the identification and management of these assets.
  • Information Classification and Handling Policy – The purpose of this policy is to ensure that EZYiD has a mechanism for classifying information to ensure that it is produced, stored, distributed and destroyed in accordance with the risks related to that information.
  • Mobile Device Policy – The purpose of this policy is to provide high level directives on the use, deployment and maintenance of mobile computing devices.
  • Operations Security Policy – The purpose of this policy is to provide directives for the management of operational processes to ensure that information assets are appropriately protected.
  • Physical and Environmental Policy – EZYiD maintains a significant investment in IT information assets used to support the business. The purpose of this policy is to provide direction to ensure that these assets are appropriately protected from physical and environmental threats.
  • Remote Access Policy – The purpose of this policy is to provide directives for remote connections to EZYiD network from any host. These directives are designed to minimise the potential exposure from damages which may result from unauthorised remote use of EZYiD resources.
  • Supplier Management Policy – EZYiD relies on suppliers, including contractors, business partners to provide some of its IT and business services. This requires suppliers to access EZYiD information to fulfil their service obligations. This policy establishes clear and consistent rules for governing all suppliers and supplier representative activities while conducting business with EZYiD. The policy also defines the framework for managing access to the suppliers and its representatives.
  • Teleworking Policy – The purpose of this policy is to provide high level directives on the use, deployment and maintenance of teleworking activities within EZYiD with the intention that it shall ensure that risks are reduced, and responsibilities known.
  • Incident and actions – The purpose of this procedure is to describe the process of reporting, correcting or preventing security incidents or security weaknesses from internal and external sources. These procedures establish protocols for; all personnel to identify what constitutes a security incident and how to report it, the manner in which an investigation and risk analysis are to be conducted, and managers to assist staff and action recommendations.
  • Risk Assessment – The purpose of this procedure is to describe the way risks are identified and managed within the EZYiD Information Security Management System (ISMS).

 

Change Management

  • Security fixes, hosting infrastructure configuration changes are introduced in line with the release management plan.