Data Security Policy

All Salute data is stored on an Amazon Web Services RDS PostgreSQL database provisioned through Heroku. All data centers are located within the United States, operated and hosted by Amazon Web Services (AWS).

All Salute data is stored on an Amazon Web Services RDS PostgreSQL database provisioned through Heroku. All data centers are located within the United States, operated and hosted by Amazon Web Services (AWS).


  1. ISO 27001
  2. SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  3. PCI Level 1
  4. FISMA Moderate
  5. Sarbanes-Oxley (SOX)

For additional information about AWS see: https://aws.amazon.com/compliance/ 


Full additional information about Heroku see: https://www.heroku.com/policy/security

Controls and Access

Data centers used to provide Salute have access system controls in place. These

systems permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, two-factor access screening, and escort-controlled access, and are also supported by onsite back-up generators in the event of a power failure. 


For additional information see: https://aws.amazon.com/security/

Encryption

The database is password protected and encrypted at rest. All communications between the application server and users are encrypted with HTTPS. All internal system communications such as those between the application server and the database are also encrypted via SSL.

Backups and Disaster Recovery

Database backups are created on a daily basis and stored for 14 days before automatically being deleted. These backups can be deleted upon request at any time. The database is stored as a static PostgreSQL export containing database structure and values.


In the case of disaster, hosting infrastructure automatically is re-deployed to another hosting region. Source code is stored in a distributed fashion both in a secure fashion by the Salute development team as well as with industry standard Github and because it is built with the common Ruby language and Ruby on Rails framework, in the case of total failure of third-party hosting will be deployed immediately within another cloud service or managed servers. 


Data back ups are created daily and production systems can be restored from backup in a process lasting not more than 10 minutes.

Data Protection

Salute will take appropriate security measures against unlawful or unauthorized Processing of Customer Data, and against the accidental or unlawful destruction, damage, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise processed.


Access Controls

Salute will ensure that appropriate access controls (physical, technical, and administrative) are in place to protect Customer data and ensure adherence to the principle of least privilege. Salute will maintain such access controls in accordance with our policies and procedures.

Encryption

Salute implements encryption for all data at rest within products and services using Advanced Encryption Standard algorithm and Transport Layer Security for transit.


Network and Host Security

Salute has network intrusion detection and firewalls in place.


Data Management

Salute has robust information security architecture to ensure Customer Data is protected while it is obtained, transported, and stored by our products and services. Customer Data is logically separated from the Customer Data of other Salute customers. Customer understands and acknowledges that Customer is solely responsible for implementing and maintaining access and security controls on its own systems.


We will put in place procedures and technologies to maintain the security of all Data from the point of the determination of the means for processing and point of data collection to the point of destruction.


We will maintain data security by protecting the confidentiality, integrity and availability of Data.


Data, defined as follows:

  • Confidentiality means that only people who are authorized to use the data can access it.
  • Integrity means that Data should be accurate and suitable for the purpose for which it is processed.
  • Availability means that authorized users should be able to access the data if they need it for authorized purposes.

Security procedures include, but are not limited to:

  • Entry controls. Any stranger seen in entry-controlled areas should be reported.
  • Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Customer information is always considered confidential.)
  • Data minimization.
  • Password protection of PCs, laptops and mobile devices.
  • Pseudonymization and encryption of data.
  • Methods of disposal. Paper documents should be shredded. Digital storage devices should be physically destroyed when they are no longer required.
  • Equipment. Staff must ensure that individual monitors do not show confidential information to passers-by and that they lock their PC when it is left unattended.
  • Taking the necessary measures when sharing Customer Data in presence of unauthorized actors

Incident Management

  1. Notice 

Salute is fully aware of its responsibility for the implementation of the security measures regarding processing data for the management and follow-up of incidents.


In case of a confirmed Security Incident, Salute will promptly notify affected customers and related stakeholders. We will provide regular updates on the incident, investigative action, and corrective actions. “Security Incidents” means unauthorized access, acquisition, or use of unencrypted Customer Data that has the potential to cause identity theft or financial harm to Customer employees.

 

2. Remediation

Salute will at its own expense investigate the Security Incident, provide Customers with a remediation plan to address and mitigate the incident, take action in accordance with such plan, and reasonably cooperate with affected Customer and any law enforcement or regulatory officials.