Last Updated: 3 December 2019
LIGADATA CORPORATE TRUST COMMITMENT
This documentation describes the architecture of, the security-and privacy-related audits and certifications received for, and the administrative, technical and physical controls applicable to sanchoanalytics.com and the Sancho analytics app.
ARCHITECTURE AND DATA SEGREGATION
The Covered Services are operated in a multi-tenant architecture that is designed to segregate and restrict Customer Data access based on business needs as orchestrated and administrated by a Customer Administrator. The architecture provides an effective logical data separation for different customers via customer-specific "Workgroup IDs " and allows the use of customer and user role-based access privileges. The specific infrastructure used to host Customer Data is commonly referred to as Infrastructure-as-a-Service, and is explained further in this document.
CONTROL OF PROCESSING
Sanchoanalytics has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by Sanchoanalytics and its sub-processors. In particular, Sanchoanalytics and its affiliates have entered into written agreements with their sub-processors containing privacy, data protection and data security obligations that provide a level of protection appropriate to their processing activities. Compliance with such obligations as well as the technical and organizational data security measures implemented by Sanchoanalytics and its sub-processors are subject to regular audits by Sanchoanalytics.
SECURITY POLICIES AND PROCEDURES
The Covered Services are operated in accordance with the following policies and procedures to enhance security:
Customer passwords are stored using a one-way salted hash.
User access log entries will be maintained, containing date, time, user ID, Workgroup accessed, operation performed (created, updated, deleted) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP.
If there is suspicion of inappropriate access, Sanchoanalytics can provide customers' log entry records. This service will be provided to customers on a time and materials basis.
System infrastructure logs, and application logs will be kept for a minimum of 30 days. Logs will be kept in a secure area to prevent tampering.
Passwords are not logged.
New users will be given a temporary password which they are required to change when they first login.
Sanchoanalytics personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.
Sanchoanalytics, or an authorized third party, will monitor the Covered Services for unauthorized intrusions using network-based and/or host-based intrusion detection mechanisms. Sanchoanalytics may analyze data collected by users' web browsers or mobile app for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Covered Services function properly.
All systems used in the provision of the Covered Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable security reviews and analysis.
Sanchoanalytics maintains security incident management policies and procedures. Sanchoanalytics will notify impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by Sanchoanalytics or its agents of which Sanchoanalytics becomes aware to the extent permitted by law. Sanchoanalytics publishes system status information on the Sanchoanalytics mobile application. Sanchoanalytics typically notifies customers of significant system incidents by email or on its mobile application as determined by Sanchoanalytics.
Access to the Covered Services requires authentication. Following successful authentication, a random session ID is generated and stored in the user's browser to preserve and track session state.
Physical Security is controlled by through a number of access layers. Details of those layers and how Sanchoanalytics' sub-processors manage it can be found here: physical security and access control.
RELIABILITY AND BACKUP
Read more about how Sanchoanalytics' sub-processors secure their infrastructure and provide maximum availability of Customer Data.
Read more about how Sanchoanalytics and its sub-processors maintain a resilient environment.
The Covered Services do not scan for viruses that could be included in attachments or other Customer Data uploaded into the Covered Services by a customer. Uploaded attachments, however, are not executed in the Covered Services and therefore will not damage or compromise the Covered Services by virtue of containing a virus.
The Covered Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer's network and the Covered Services, including through Transport Layer Encryption (TLS) leveraging at least 2048-bit RSA server certificates and 128 bit symmetric encryption keys at a minimum. Additionally, all data, including Customer Data, is transmitted between data centers for replication purposes across a dedicated, encrypted link utilizing AES-256 encryption.
DELETION OF CUSTOMER DATA
At any point, the Customer Administrator can elect to delete the associated workgroup and its data. After termination, Customer Data submitted to the Covered Services is retained in inactive status within the Covered Services for 120 days, after which it is securely overwritten or deleted from production within 90 days, and from backups within 180 days. Physical media on which Customer Data is stored during the contract term is not removed from the data centers that Sanchoanalytics uses to host Customer Data unless the media is at the end of its useful life or being de-provisioned, in which case the media is first sanitized before removal.
Day 0: Service terminated.
Day 0-120: Customer Data retained in inactive status.
Day 121 (c. 4 mths): Access removed. Data deleted from production, or overwritten.
Day 211 (c. 7 mths): Data deleted from backups or overwritten within the next 180 days.
Sanchoanalytics may track and analyze the usage of the Covered Services for purposes of security and helping Sanchoanalytics improve both the Covered Services and the user experience in using the Covered Services. For example, we may use this information to understand and analyze trends or track which of our features are used most often to improve product functionality. Additionally, Sanchoanalytics may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our services.