AllSpice processes all personal data received from Controller, or on its behalf under this DPA in conformity with the following technical and organizational measures:
Information Security Organization
- AllSpice’s Information Security Policy outlines roles and responsibilities for personnel with responsibility for the security, availability, and confidentiality of the Product and Service.
- The Chief Technology Officer is responsible for the design, implementation, and management of the organization’s security policies, which are reviewed at least annually. Annual review includes assessment of internal controls used in the achievement of AllSpice’s Service commitments and system requirements. Following review, any deficiencies are resolved in accordance with the Risk Assessment and Management Program.
- The Chief Technology Officer also performs an annual formal risk assessment, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats. The CTO maintains a risk register, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
- The Security team is responsible for identifying and tracking incidents and creating a ‘lessons learned’ document and sharing it with the engineering team. The Engineering team is responsible for Software development and deployment.
- AllSpice has established a Code of Conduct outlining ethical expectations, behavior standards, and ramifications of noncompliance, as well as Acceptable Use, Data Protection, and Information Security Policies. Full-time employees acknowledge all codes and procedures within 30 days of hire.
- Background checks are performed on full-time employees within 30 days of the employee’s start date as permitted by local laws. Reference checks are performed on contractors who have access to production data.
- Within 30 days of hire, full-time employees complete training programs for information security to help them understand their obligations and responsibilities related to security.
Access Controls and Asset Management
- AllSpice adheres to the principle of least privilege, specifying that team members will be given access to only the information and resources necessary to perform their job functions. Requests for escalation of privileges or changes to privileges and access permissions are documented and require approval by an authorized manager.
- The Chief Technology Officer and the Director of Infrastructure conduct annual user access reviews of production servers, databases, and applications to validate internal user access which is commensurate with job responsibilities. Identified access changes are tracked to remediation.
- Access to production machines, network devices, and support tools is restricted to AllSpice administrators and protected in accordance with industry best practices.
- Internal user access to systems and applications with service data requires two-factor authentication in the form of user ID / password, and one-time passcode.
- AllSpice has formal policies for password strength and use of authentication mechanisms.
- Production infrastructure is restricted to users with a valid SSH key; administrative access to production servers and databases is restricted to the Back-end Engineering team.
- Upon termination or when internal users no longer require access, infrastructure and application access is removed within one business day.
- Internal use of the internal admin tool is logged. These logs are reviewed monthly for appropriateness.
- Firewall configurations help ensure available networking ports and protocols are restricted to approved business rules.
- The Engineering team maintains a list of the company’s system components, owners, and their business function, and the Chief Technology Officer reviews this list annually.
Incident Management and Business Continuity
- AllSpice’s Incident Response Plan outlines the process of identifying, prioritizing, communicating, assigning, and tracking incidents through to resolution.
- The Security team tracks identified incidents according to the Incident Response Plan and creates a ‘lessons learned’ document after each high or critical incident. This document is shared with the Engineering team to make any required changes.
- The Chief Technology Officer maintains a disaster recovery plan, which is tested at least annually. The Engineering team reviews test results and makes changes to the plan accordingly.
- AllSpice’s Change Management Process and Standard governs the system development life cycle, including documented policies for tracking, testing, approving, and validating changes.
- System changes are tested via automated test scripts prior to being deployed into production.
- AllSpice code requests are independently peer reviewed prior to integrating the code change into the master branch.
- System users who make changes to the development system are unable to deploy their changes to production without independent approval.
- The Engineering team uses a tool to enforce standard production images for production servers.
- Configuration changes are tested (if applicable) and approved prior to being deployed into production.
- The production and testing environments are segregated; production data is not used in the development and testing environments.
Data and Availability Controls
- AllSpice’s Data Protection Policy details the security and handling protocols for service data.
- Full backups are performed daily and retained in accordance with the Backup Policy. The Engineering team restores backed-up data to a non-production environment at least annually to validate the integrity of backups.
- Access to erase or destroy customer data is limited to the Chief Technology Officer and Infrastructure Engineers.
- The Chief Technology Officer and the Engineering team manually delete data that is no longer needed from databases and other file stores in accordance with agreed-upon customer requirements.
- AllSpice’s Encryption and Key Management Policy supports the secure encryption and decryption of app secrets, and governs the use of cryptographic controls.
- Encryption is used to protect the transmission of data over the internet; service data is encrypted at rest.
- The Engineering team encrypts hard drives for portable devices with full disk encryption.
- System tools monitor company load balancers and notify appropriate personnel of any events or outages based on predetermined criteria. Any identified issues are tracked through resolution in accordance with the Incident Response Plan.
- Customer Data is replicated across availability zones to support continuous availability.
Vendor and Vulnerability Management
- AllSpice’s Vendor Risk Management Policy defines a framework for the onboarding and management of the vendor relationship lifecycle. The Chief Technology Officer assesses new vendors according to the Vendor Risk Management Policy prior to engaging with the vendor.
- AllSpice’s Vulnerability Management and Patch Program outlines the procedures to identify, assess, and remediate identified vulnerabilities.
- Vulnerability scans are executed monthly on production systems. The Chief Technology Officer and the Engineering team track critical or high-risk vulnerabilities through resolution.
- The Engineering team uses logging and monitoring software to collect data from servers and endpoints, and detect potential security threats and unusual system activity.
- The Engineering team uses alerting software to notify impacted teams of potential security and availability events.