We want you to feel comfortable about the security of your survey data, and we make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner.
TorchMetrics uses some of the most advanced technology for Internet security that is commercially available today. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.
APPLICATION AND USER SECURITY
- All communications with the torchmetrics.com website are sent over SSL/TLS connections. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) technology (the successor technology to SSL) protect communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients.
- User Authentication: User accounts have unique usernames and passwords that must be entered each time a user logs on. TorchMetrics issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
- User Passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.
- Data Encryption: Certain sensitive user data, such as credit card details and account passwords, is stored in encrypted format.
Data Centers: Our hosting provider’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (previously SAS 70 Type II)
- FISMA Moderate
- SarbanesOxley (SOX)
Physical Security: Our hosting provider utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military-grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon provides data center access and information only to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
For additional information see https://aws.amazon.com/security
The Platform is monitored 24×7 by comprehensive automated systems. In the event of any issue affecting the health and operation of the infrastructure, core systems, or tools, our dedicated operations team is notified and will respond immediately to diagnose and correct any issues. This 24×7 monitoring covers the entire platform
- Backup Frequency: Backups occur hourly internally, and daily to a centralized backup system for storage in multiple geographically disparate sites.
- Production Redundancy: Data stored on a RAID 10 array. O/S stored on a RAID 1 array.
- Stack: We code in Ruby on Rails and run on Postgres DB.
- Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines to ensure secure coding.
HANDLING OF SECURITY BREACHES
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if TorchMetrics learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.
Keeping your data secure also depends on your ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any survey data you download to your own computer away from prying eyes. We offer SSL to secure the transmission of survey responses, but it is your responsibility to ensure that your surveys are configured to use that feature where appropriate.