SECURITY POLICY
Last updated: 18 January 2020
Introduction
Elementary-AI is a brand owned by nuaxia Limited. nuaxia takes our users’ security concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner. This Security Policy is intended to inform and reassure you about our IT infrastructure and practices.
The Terms of Use apply to this Security Policy, including any defined terms used herein.
nuaxia Internal Policies
nuaxia has an internal security policy which it requires all employees, contractors and suppliers to comply with and sign-off on annually. All policies are compiled, reviewed and updated by nuaxia’s Technology Director and its Compliance and Data Protection Officers. This covers information classification, information handling, physical security, HR-related policies, system and network security, acceptable use, account deactivation, encryption and confidentiality requirements.
nuaxia also has its own Risk Assessment Policy, which covers threat identification, vulnerability assessment, risk analysis and risk treatment.
Both policies require annual sign-off and exception approval by the senior management team.
User Security
Authentication
-
Data access throughout our system is limited and segregated by role-based access control (RBAC). System administrator accounts are further secured through two-factor authentication (2FA). Development level access is additionally secured through IP address based access restrictions. User accounts have unique usernames and passwords that must be entered each time a user logs in. nuaxia issues a session cookie only to record encrypted authentication information for the duration of a specific session.
Passwords
-
User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.
Data Encryption
-
Data in our systems is encrypted at rest and in transit.
Data Portability
-
nuaxia enables you to export your data from our system in a variety of formats so that you can back it up, or use it with other applications.
Privacy
-
We have a comprehensive Privacy Policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.
Data Residency
-
nuaxia system data, Member personal data, client data and response data is all stored securely within the EU.
Physical Security
All nuaxia information systems and infrastructure are hosted in world-class data centers. These data centers include all the necessary physical security controls you would expect in a data center these days (e.g., 24×7 monitoring, cameras, visitor logs, entry requirements). We segment data to ensure optimal system performance, to comply with our client’s advanced security needs and industry best practices applicable to data submitted by our members.
Security for Honoraria Payments
nuaxia uses secure third party providers to fulfil Honoraria payments. nuaxia never stores or requests any financial information relating to its Members.
Availability
Connectivity
-
Fully redundant IP network connections with multiple independent connections.
Power
-
Servers have redundant internal and external power supplies. Data centers have backup power supplies, and are able to draw power from the multiple substations on the grid, several diesel generators, and backup batteries.
Uptime
-
Continuous uptime monitoring, with immediate escalation to nuaxia staff for any downtime. Server infrastructure with uptime guarantees of over 99.9%.
Failover
-
Our database is replicated in real-time and can failover in less than an hour.
Backup Frequency
-
Backups occur daily at multiple geographically disparate sites. Backups are encrypted.
Network Security
Testing
-
System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.
Firewalls
-
System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.
Access Control
-
Two-factor authentication (2FA), and role-based access is enforced for systems management by authorized engineering staff.
Logging and Auditing
-
Central logging systems capture and archive all internal systems access including any failed authentication attempts.
Encryption in Transit
-
Data between endpoints in our system is transferred encrypted through SSL/TLS solutions.
File Sharing
-
We share files with clients through secure FTP solutions.
Vulnerability Management
Patching
-
Latest security patches are applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.
Penetration Testing
-
An independent company performs an annual vulnerability assessment and penetration tests of our main IT environment.
Organizational & Administrative Security
Information Security Policies
-
We maintain internal information security policies, including breach and incident response plans, and regularly review and update them.
Employee Screening
-
We perform background screening on all employees, to the extent possible within local laws.
Training
-
We provide security and technology use training for employees.
Service Providers
-
We screen our service providers and bind them under contract to appropriate confidentiality, data protection and security obligations.
Access
-
Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
Audit Logging
-
We maintain and monitor audit logs on our services and systems.
Software Development Practices
Coding Practices
-
Our engineers use best practices and industry-standard secure coding guidelines.
Deployment
-
We deploy code dozens of times during the week, giving us the ability to react quickly in the event a bug or vulnerability is discovered within our code.
Handling of Security Breaches
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if nuaxia learns of a security breach, we will notify affected users so that they can take appropriate protective steps and, where required, notify the regulatory authorities within specified time periods. Our breach notification procedures are consistent with our obligations under relevant laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices and posting a notice on our website if a breach occurs.
Your Responsibilities
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any survey data you download to your own computer away from prying eyes. We offer SSL to secure the transmission of survey responses, but it is your responsibility to ensure that your surveys are configured to use that feature where appropriate.
Further Security Questions
Further information may be available in the Client support centre. Any further security questions or security forms can only be addressed for Clients purchasing a subscription.