Access Control to Processing Areas (Physical Access Control)
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are processed.
The CareAR service is hosted on Google Cloud Platform (GCP). This ensures that all physical access to processing areas is restricted using Google’s controls. These are described here and include (but are not limited to) the following:
- Google designs and builds its own data centers, which incorporate multiple layers of physical security protections.
- Access to these data centers is limited to only a very small fraction of Google employees.
- Google uses multiple physical security layers to protect the data center floors and uses technologies like biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems.
- Google additionally hosts some servers in third-party data centers, where they ensure that there are Google-controlled physical security measures on top of the security layers provided by the data center operator.
Access Control to Data Processing Systems (System Access Control)
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons. User identification and authentication procedures include:
- Production access is reviewed periodically - all users are verified
- Access requests are tracked in JIRA with VP of Operations approvals - reviews done at least quarterly
- GCP read-only accounts are given only to those with need
- System Admin accounts (read-only) are given only to those that require access
- Currently using Google authentication so lockouts are based upon Google's control - MFA is manually verified
- CareAR internet-facing infrastructure is all using Google services - no servers are configured or managed by CareAR
- Access to the environment hosting user data is limited to the minimum number of people required to maintain the service and requires login via a Privileged Access Management system. Only the CareAR web portal contains user data and is hosted in GCP.
Access Control to Use Specific Areas of Data Processing Systems (Data Access Control)
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization
All users with access to production have:
- been approved by management to have access to the systems
- been given the minimum access (read only access for most)
- read and acknowledged the CareAR Data Management Policy
- read and acknowledged the Xerox security and privacy policies
- taken GDPR and privacy training as part of Xerox onboarding
Transmission Control
Measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof of during the transport of the data media.
- Network and network access protection technologies are used
- Monitoring of the completeness and correctness of the transfer of data is supported by using networking protocols (TCP/TLS) with error correction features
Web Application Firewall
CareAR deploys our APIs behind an Imperva web application firewall (WAF) to filter and monitor incoming traffic which helps to prevent attacks that could jeopardize user data. Imperva, our third-party vendor, actively monitors traffic to block external threats to protect CareAR users.
Security By Design
The CareAR Software Development Lifecycle (SDL) process is the method by which CareAR creates secure products and defines the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment). CareAR engineers perform numerous security activities for the Services including:
- Internal security reviews before products are launched
- Periodic penetration tests performed by independent security teams
- Architecture reviews
- Secure Software Development Life Cycle (Secure SDLC) is a software engineering culture to unify software development, deployment, security, and operations:
- Static Application Security Testing (SAST) - Analyzes source code to identify vulnerabilities in applications before the applications are compiled
or deployed. - Dynamic Application Security Testing (DAST) - Identifies vulnerabilities and applications in (web) applications while they are running.
- Software Composition Analysis (SCA) - set of tools and practices that enables identification and management of third-party and open-source components in software applications that helps identify and mitigate security vulnerabilities in these components. SCA also uncovers licensing issues of the components.
- Static Application Security Testing (SAST) - Analyzes source code to identify vulnerabilities in applications before the applications are compiled
Input Control
Technical and organizational measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems
- Access Logging and reporting systems
- Audit trails and documentation
Job Control
Technical and organizational measures to ensure that personal data may only be processed for the purpose described.
- Contracts with subprocessors to ensure personal data is treated in accordance with our privacy policy
- Access control and privacy training for those with access to personal data
- Clearly written privacy policy which describes what personal data is collected and the purposes for which it is used
Availability Control
Technical and organizational measures to ensure that personal data are protected from accidental destruction or loss.
- Availability is managed and designed based on an overall service level concept.
- The physical site where the data processing equipment is located is protected against general environmental hazard and unauthorized access. It is protected with specific measures against power loss. It monitors and controls temperature and humidity at the site and alerts where reaching limits.
- Availability of the network access to the site is enhanced thought WAN based redundancies, network access redundancies to the site.
- Redundancies of the infrastructure components itself (servers and storage arrays) are in place in accordance with the agreed and predefined service levels.
- Functionalities are used on DB level to target for a minimum loss of transaction information in case of a technical failure. This is done by using DB features supporting minimal loss of transaction information were possible and meaningful.
- In line with the service levels defined, additional availability features on DB level (real application clustering) or at application level (application-based replication, load balancing) are in place.
- To reduce unscheduled downtimes proactive infrastructure maintenance is done. This maintenance work is planned and based on a predefined schedule. During these maintenance windows proactive tasks are executed to keep the infrastructure on a supported level aligned with the providers of the infrastructure components.
- After serious events a structured After Action Review is executed to detect mitigation actions and potential proactive measures.
- Technical and application related changes follow change management processes, supported where possible by multiple tiers where changes are applied first before being applied to the production environment.
- Load Balancer - CareAR utilizes load balancers to manage incoming traffic to CareAR services. This allows traffic to be processed efficiently while also dividing the activity required by the CareAR backend. Requests that are not formed correctly will not arrive to the CareAR server, ensuring the safety and security of CareAR Users.
General Controls
Additional following controls
- Monitoring and surveillance techniques are used detect any misuse of threatening behavior without disclosing this beforehand
- All data at rest is encrypted
- A data retention policy is in place to ensure that data is removed when no longer required and is minimalized where possible
- Changes to production environment are tracked and pre-approved.
- All changes to production systems are tracked using an external logging system
- Products are developed using a Software Development Life Cycle process which ensures quality releases.
- A separate development/staging/production environment is used to ensure that products are fully tested before being delivered to customers – it also ensures that the production environment is not disrupted due to testing
- The redundancy measures are checked on a regular basis. The results are documented accordingly.
- Backups and Recovery - CareAR performs regular backups of CareAR account information, call records and other critical data using Google and AWS cloud storage. Backup data are retained redundantly across availability zones and are encrypted in transit and at rest using 256-bit Advanced Encryption Standard (AES-256) server-side encryption. In the rare event that data recovery is required, CareAR can recover from material service-affecting deletion of data.
- CareAR's recovery point objective (RPO) is 1 hour.
- CareAR's recovery time objective (RTO) is 24 US business hours.