Definitions
Within this document, the following definitions apply:
Customer: any user of Five to Nine services
Customer Data: any information provided or submitted by the Customer that is processed by Five to Nine services
Personal Data: means any information relating to an identified or identifiable natural person
Personnel: means Five to Nine employees and authorized individual contractors/vendors
Strong Encryption: means the use of industry standard encryption measures
Physical Access
Data is collected and processed by Five to Nine for testing, staging, and production purposes on the Amazon Web Services (AWS) cloud computing platform in the Virginia region (us-east-1). As documented from Amazon:
Physical access is controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. All entrances to AWS data centers, including the main entrance, the loading dock, and any roof doors/hatches, are secured with intrusion detection devices that sound alarms and create an alarm in AWS centralized physical security monitoring too if a door is forced open or held open. In addition to electronic mechanisms, AWS data centers utilize trained security guards 24×7, who are stationed in and around the building. All alarms are investigated by a security guard with root cause documented for all incidents. All alarms are set to auto-escalate if response does not occur within SLA time. Physical access points to server location are recorded by closed circuit television camera (CCTV) as defined in the AWS Data Center Physical Security Policy. Images are retained for 90 days, unless limited to 30 days by legal or contractual obligations. AWS Physical Security Mechanisms are reviewed by independent external auditors for our SOC, PCI DSS, ISO 27001 and FedRAMPsm compliance.
The data centers and their equipment are physically protected against natural disasters, unauthorized entry, malicious attacks, and accidents
Equipment at the data centers are protected from power failures and other disruptions caused by failures in supporting utilities, and are appropriately maintained
System Access
Access to Five to Nine systems is granted only to Five to Nine Personnel and/or to permitted employees of Five to Nine’s subcontractors and access is strictly limited as required for those persons to fulfill their function
All laptops used by Five to Nine Personnel have encrypted hard drives
All users access Five to Nine systems with a unique identifier (UID)
Five to Nine has established a password policy that prohibits the sharing of passwords and requires default passwords to be altered. All passwords must fulfill defined minimum complexity requirements and are stored in encrypted form
Five to Nine has a comprehensive process to deactivate users and their access when Personnel leaves the company or a functional role
All access or attempted access to systems is logged and monitored
Data Access
As a matter of course, Five to Nine Personnel do not access Personal Data. Where access is required to operate the service or assist in a customer issue, the request for access must be formally justified/tracked and approved by the customer
Five to Nine restricts Personnel access to Personal Data on a “need-to-know” basis based on this justification
Each such access and its subsequent operations are logged and monitored
Data Transmission / Storage
Customer access to Five to Nine services is protected by the most current version of Transport Layer Security (TLS)
Five to Nine uses Strong Encryption in the transmission of Customer Data within our data centers and between our data centers and customer devices
Upon Customer’s request, Personal Data will be promptly deleted
Data Separation
Five to Nine uses logical separation within its multi-tenant architecture to ensure data segregation between customers.
In each step of the processing, Customer Data received from different Customers is assigned a unique identifier so data is always physically or logically separated
Customers only have access to their own Customer Data which is available upon request
Data Retention
Five to Nine retains company data for the duration of their contract with Five to Nine and purges it at termination of contract.
Employee data is retained for the duration of their employment and purged at termination of employment. Our data retention policy can additionally adhere to client retention policy as long as it’s in accordance with applicable law.
Confidentiality & Integrity
Five to Nine has a formal background check process and carries out background checks on all new Personnel
All Five to Nine Personnel are subject to individual confidentiality and non-disclosure agreements
Five to Nine has a central, secured repository of product source code, which is accessible only to authorized Personnel
Five to Nine has a formal application security program and employs a robust Secure Development Lifecycle (SDLC) which is detailed in our SDLC Policy
Used Sub-Contractors
Five to Nine uses the following sub-contractors to provide its services:
Amazon Web Services
MixPanel
SquareSpace