Approach to Security
SmartyStreets is committed to being transparent about our practices and helping you understand our approach to security. Delivering excellent service while protecting your privacy and data are of utmost importance to us.
The Company has an established security program, dedicated to ensuring our customers have the highest confidence in our custodianship of their data. Our security program is described below and aligned with industry standards. Service Organization Control II (SOC 2) Compliance report is available upon request.
All regular employees who have direct access to our internal information systems ("systems") are trained and required to understand and follow internal policies and standards. Before gaining initial access to any systems, our employees agree to confidentiality terms, pass a background screening, and attend security training. This training is reviewed annually and covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting. Upon termination from the Company, all access to our data processing and systems are removed immediately.
Security and Privacy Training
Throughout employment, all personnel are required to refresh their training on privacy and security protocols. They are also required to acknowledge that they've read and will follow our company information security policies at least annually. Some employees, such as developers and support personnel who may have elevated access to systems or data, receive additional job-specific training. Employees are trained to recognize internal and external suspicious activities and required to report security and privacy issues to appropriate authorities. Employees are informed that failure to comply with acknowledged policies are grounds for severe consequences, including termination of employment.
To minimize the risk of data exposure, the Company adheres to the principle of limited privilege—personnel are only authorized to access data that they reasonably need in order to fulfill their current job responsibilities. Personnel may be granted access to a limited number of internal systems and requests for additional access through a formalized process and must be approved by the responsible manager or company officer. To ensure that users are so restricted, the Company employs the following measures:
- All systems require users to authenticate with unique identifiers;
- Each user's access is reviewed annually to ensure the access granted is still appropriate for the user's current job responsibilities.
Dedicated Security Professionals
The Company has defined roles and delineated responsibilities for operating various aspects of our Security Management. The responsibilities of each role are detailed in the Company's Disaster Recovery and Business Continuity Plan.
Protecting Customer Data
The focus of the Company's security program is to prevent unauthorized access to customer data. To this end, our team of dedicated security practitioners, working in partnership with peers across all teams, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve.
Data Encryption in Transit and at Rest
The Company transmits data over public networks using strong encryption. This includes data transmitted between you and our cloud-based service. The Company utilizes the latest recommended secure cipher suites, and encryption keys, to encrypt all traffic in transit and at rest. The Company monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.
Data at rest is hosted in data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Company's service. These service providers are responsible for restricting physical access to the Company's systems to authorized personnel.
Network access to the Company's production environment from open, public networks (the internet) is restricted. Only those network protocols essential for delivery of the Company's service to its users are open at the Company's firewall perimeter. The Company deploys mitigations against distributed denial of service (DDoS) attacks at its network perimeter. Changes to the Company's production network configuration are restricted to authorized personnel. In the Company's hosted production environment, control of network devices is retained by the hosting provider.
To further reduce the risk of unauthorized access to data, the Company employs multi-factor authentication for administrative access to systems with more highly sensitive data. Where possible and appropriate, the Company uses OAUTH2 for authentication. For example, at this time, administrative access to production servers requires operators to connect using an OAUTH2. Where passwords are used, multi-factor authentication is enabled for access to higher data sensitivities. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 48 characters, and not consisting of a single dictionary word, among other requirements).
The Company requires personnel to use an approved password manager. The password manager generates, stores and controls unique and complex passwords. It provides a place for users to store various passwords, software licenses, and other sensitive information in a virtual vault that is locked with a PBKDF2-guarded master password.
System Monitoring, Logging, and Alerting
The Company monitors servers, workstations and mobile devices to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers in the Company's production network are logged.
The Company's Security Team collects and stores production logs in a separate network. Access to this network is restricted to members of the Security Team. The Company servers run a variety of monitoring tools that may detect suspicious code or unsafe configurations or user behavior. Our tools monitor alerts and ensure significant issues are resolved in a timely fashion. An analysis of logs is automated to detect potential issues and alert responsible personnel. Logs are protected from modification and retained until the legal limit of allotment. Alerts are examined and resolved based on documented priorities.
Mobile Device Management
Mobile devices that are used to transact company business are centrally managed and enrolled in appropriate mobile device management systems, to ensure they meet the Company's security standards.
Responding to Security Incidents
The Company has established policies and procedures for responding to potential security incidents. All incidents are managed by the Company's Security Team. The Company defines the types of events that must be managed via the incident response process. Incidents are classified by severity.
The Company has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.
All workstations issued to employees are configured to comply with our standards for security. These standards require all workstations to be properly configured, kept up to date, and tracked. The Company's default configuration sets up workstations to encrypt data, have strong passwords, and lock when idle.
Controlling System Operations and Continuous Deployment
We take a variety of steps to combat the introduction of malicious or erroneous code to our operating environment and protect against unauthorized access.
Prevention and Detection of Malicious Code
In addition to general change control procedures that apply to our systems, the Company's production network is subject to additional safeguards against malware.
New servers deployed to production are hardened by disabling unneeded and potentially insecure services, removing default passwords, and applying the Company's custom configuration settings to each server before use.
File Change Management
The Company maintains the configuration of its production servers by using a configuration management system, and hardware is regularly rotated to ensure that only authorized configuration values are running in production environments.
Disaster Recovery and Business Continuity
The Company utilizes services from various hosting providers to distribute its production operation across multiple separate geographical locations. These locations protect our servers from loss of connectivity, power infrastructure and other common location-specific failures. Each server is capable of performing 100% of client services so as to create multiple redundancies and eliminate a need to schedule downtime. Production transactions are replicated among these discrete operating environments to protect the availability of the Company's service in the event of a location-specific catastrophic event. The Company also retains a full backup copy of production data in a remote location more than 2500 miles from the location of the primary operating environment. Full backups are saved to this remote location and transactions are saved in real-time. The Company tests backups regularly to ensure they can be correctly restored.
Third-party service providers
We use third-party service providers to help us host our applications, communicate with customers, power our emails, etc. We partner with third parties whom we trust to be the best in their field and are up-to-date on the latest legal requirements. A current list of third-party providers is available upon request.
The Company employs legal and compliance professionals dedicated to reviewing and ensuring our products and features are compliant with applicable legal and regulatory requirements. The Company also has a business code of conduct to promote our legal, ethical, and social responsibility to fundamentally serve our clients with the highest quality and value standards.
Not unlike other technology companies, the Company may receive requests from users and government agencies to disclose data other than in the ordinary course or operation of services. If we have signed a Non-Disclosure Agreement (NDA) with our clients, terms of our agreement will govern how we proceed legally. If no such NDA exists, we adhere to our internal Data Request Policy which addresses legal issues and clearly outlines our procedures for responding to any such third-party requests for customer data.
Our Enterprise plan allows clients to customize unique data processing requirements to enhance our standard terms of service (e.g. security, or modifications in the governing laws and/or jurisdiction venue, auditing privileges, limited warranties, and insurance requests, etc.). Contact us if you require a Data Privacy Agreement.
Enhanced Data Privacy or "Incognito Mode"
For Enterprise clients concerned about having their data logged and analyzed for performance and quality control, we offer an Enhanced Data Privacy solution or ("Incognito Mode") to prevent any data logging. Incognito Mode is a feature in the software that prevents Client's Personally Identifiable Information (PII) from ever being logged at the point of submission to our API. Client's data submissions are momentarily accessed in Random Access Memory (RAM) just long enough to process, match and deliver verification results back to a client. Upon completion of such processes, any residual data in the RAM is dumped, written over, or "garbage collected" by subsequent transactions. Due to the transitory nature of this process, Client acknowledges and agrees that data troubleshooting, correction, blocking, deleting, or exportation back to Client shall not be feasible.
Ultimate Security (local installation)
For maximum security and total client control of data deployment, we also provide a local installation or a "Client-hosted" solution. Our licensing agreement enables clients to download our API software onto their own secured environment (up to four (4) active installs per license). Clients can then process and access a current address database eliminating the need to perform outbound calls or release any private or sensitive data externally. Currently, this solution is only available for Enterprise clients selecting Unlimited Lookup Plans.
Safeguarding private data is a critical responsibility which we at SmartyStreets take seriously. Every client using our services trusts and deserves to have their data secure and confidential. We are committed to continue to maintain that trust.
Updated: September 14, 2020