This IQ data Security Policy (the “Security Policy”) outlines the technical and procedural measures that IQ data undertakes to protect Client data (which comprises both Account and Client SDK Data) from unauthorized access or disclosure. This Security Policy is referenced in and made a part of the Terms of Service of the IQ data Platform (“Platform Terms of Service”).
In the event of any conflict between the terms of the Platform Terms of Service and this Security Policy, this Security Policy shall govern. Capitalized terms used but not defined in this Security Policy have the meanings set forth in the Platform Terms of Service.
1. Client Data Access and Management
1.1. The Client controls access to its Datasets via User IDs, passwords (with strong password enforcement). Passwords used to access the IQ data Platform (including Datasets) are stored in hashed form in accordance with industry best practice.
1.2. IQ data Personnel may not access Client SDK Data without the Client’s consent. “IQ data Personnel” means IQ data employees and individual subcontractors.
1.3. IQ data uses Client SDK Data only as necessary to provide the Platform services in line with the Client’s Platform Agreement.
1.4. Client SDK Data is stored only in a dedicated virtual server hosted on Amazon Web Services (AWS), which is allocated exclusively to the Client (a “Bucket”). Client SDK Data is stored or processed only using AWS services.
1.5. Each Dataset is stored in its own separate Bucket, which only the Client may access (unless the Client provides consent as described in 1.2 above).
1.6. IQ data shall create and maintain flow diagram(s) indicating how Client SDK Data flows through the Platform. IQ data shall provide such flow diagram(s) upon Client’s reasonable request.
2. Handling of Client SDK Data
2.1. All traffic within Platform and between the Client’s browser and the Bucket including the initial HTTP transmission of Client SDK Data to the Bucket is secured and encrypted. Buckets enforce HTTPS Strict Transport Security and support forward secrecy as well as secure renegotiation.
2.2. If the Client no longer requires a Bucket, or if the Client ends their use of the IQ data Platform, the data stored within the Bucket is immediately and permanently deleted.
2.3. Access to the Bucket is secured in accordance with section 1 above, with no other access available to the other IQ data systems, except for where the Client has specifically requested this functionality.
2.4. Client SDK Data is held in the Bucket initially in a raw state pending ingestion and processing. Upon completion of the ingestion process all Identifying Data within the Client SDK Data is hashed and/or anonymised.
2.5. The hashed Identifying Data remains in the Bucket. To provide the Platform, IQ data’s data analysis systems a set of Non-Identifying Data Identifiers (IQID) to IQ data’s cloud system and to the Buckets of any third party who has permission or has granted a permission to run a query.
3. IQ data Platform Infrastructure Access Management
3.1. Access to the systems and infrastructure that support the IQ data Platform is restricted to IQ data Personnel who require such access as part of their job responsibilities. All of those personnel are trained in accordance with IQ data security policy.
3.2. Unique User IDs are assigned to IQ data Personnel requiring access to the IQ data servers that support the Platform.
3.3. Access privileges of all IQ data Personnel are monitored and adjusted accordingly as circumstances require.
3.4. User access privileges to the systems and infrastructure that support the Platform are reviewed quarterly.
3.5. Access attempts to the systems and infrastructure that support the Platform are logged and monitored.
4. Risk Management
4.1. IQ data conducts risk assessments of various kinds throughout the year, including self- and third-party assessments and tests, automated scans, and manual reviews.
4.2. Results of assessments, including formal reports as relevant, are reported to senior management together with recommendations for new or improved controls and threat mitigation strategies.
4.3. Changes to controls and threat mitigation strategies are evaluated and prioritized for implementation on a risk-adjusted basis.
4.4. Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.
5. Vulnerability Scanning and Penetration Testing
5.1. Vulnerability scans are automatically performed on the systems that operate and manage the IQ data Platform. Port scans are performed monthly, and more detailed scans are performed monthly. The vulnerability database is updated regularly.
5.2. Scans that detect vulnerabilities meeting IQ data-defined risk criteria automatically trigger notifications to security personnel.
5.3. Potential impacts of vulnerabilities that trigger alerts are evaluated by IQ data Personnel.
5.4. Vulnerabilities that trigger alerts and have published exploits are reported to the Head of Security, who determines and supervises appropriate remediation action.
5.5. Penetration tests by an independent third party expert are conducted at least twice a year, and generally on a quarterly basis.
5.6. Penetration tests performed by IQ data Security are performed regularly throughout the year.
6. Remote Access & Wireless Network
6.1. IQ data maintains a strict policy of not storing Account Data or Client SDK Data (where access to IQ data Personnel has been granted by the Client) on local desktops, laptops, mobile devices, shared drives, removable media, as well as on public facing systems that do not fall under the administrative control or compliance monitoring processes of IQ data.
7. Location of Data in the Platform
7.1. Client SDK Data is stored in AWS servers physically located in the UK by default, although other AWS locations may be used at the request of a Client.
8. System Event Logging
8.1. Monitoring tools and services are used to monitor systems including network, server events, and AWS API security events, availability events, resource utilization and internal service performance metrics.
8.2. IQ data infrastructure security event Logs are centralised in an industry standard Security Information and Event Management system (SIEM). SEIM logs are stored for 12 months.
9. System Administration and Patch Management
9.1. IQ data maintains system administration procedures for systems that access Client SDK Data that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications).
9.2. IQ data maintains a documented patch management process, which ensures that patches are applied within a timeframe commensurate to their impact within the specific environment of the IQ data Platform.
9.3. IQ data Security reviews various vulnerability announcements weekly and assess their impact to IQ data based on a IQ data-defined risk criteria, including applicability and severity.
10. IQ data Development Practices
10.1 In developing and enhancing the IQ data Platform, IQ data follows written development practices which ensure that security features are preserved.
10.2 All modifications to the IQ data Platform are tested in separate environments before they are deployed to the IQ data Platform in production.
10.3 All modifications to the IQ data Platform must be reviewed by at least two people (including the person who made the change). Technical controls are in place to ensure this policy is correctly applied.
10.4 Any open-source software used within the IQ data Platform is individually assessed and signed off, to ensure that it follows satisfactory security principles and that there are no licensing implications which might affect the security of Client data.
11 IQ data Security Training and IQ data Personnel
11.1 IQ data maintains a security awareness program for IQ data Personnel, which provides initial education, ongoing awareness and individual IQ data Personnel acknowledgment of intent to comply with IQ data’s corporate security policies. All IQ data Personnel are obliged to abide by the IQ data Information Security Policy and undertake and satisfactorily complete annual training on security procedures.
11.2 All IQ data Personnel acknowledge they are responsible for reporting actual or suspected security incidents or concerns, thefts, breaches, losses, and unauthorized disclosure of or access to Client data.
12 Physical Security
12.1 The IQ data Platform is hosted in AWS and all physical security controls are managed by AWS.
13 Notification of Security Breach
13.1 A “Security Breach” is (a) the unauthorized access to or disclosure of the Client’s data, or (b) the unauthorized access to the systems within the Platform that transmit or analyse the Client’s data.
13.2 IQ data will notify Client in writing within forty eight (48) hours of a confirmed Security Breach affecting their data.
13.3 Such notification will describe the Security Breach and the status of IQ data’s investigation.
13.4 IQ data will take appropriate actions to contain, investigate, and mitigate the Security Breach.
14 Client Responsibilities
14.1 The Client is responsible for managing its own user accounts and roles within the Platform and for protecting its own account and user credentials. The Client will comply with the Platform Terms of Service as well as all applicable laws.
14.2 The Client will promptly notify IQ data if a user credential has been compromised or if the Client suspects possible suspicious activities that could negatively impact security of the IQ data Platform or the Client’s account.
14.3 The Client may not perform any security penetration tests or security assessment activities without the express advance written consent of IQ data.
Updated: 20 February, 2020