Security and Compliance
Section's systems and processes are built and managed with the highest and most current security standards in mind. Our security practice encompasses areas such as compliance protocols, corporate governance, data privacy, change management, and more.
SOC 2 TYPE II COMPLIANCE
Section has successfully completed a System and Organization Controls (SOC) 2 Type II audit, performed by Sensiba San Filippo, LLP (SSF). Developed by the American Institute of Certified Public Accountants (AICPA), the SOC 2 information security standard is an audit report on the examination of controls relevant to the trust services criteria categories covering security, availability, processing integrity, confidentiality and privacy. A SOC 2 Type II report describes a service organization's systems and whether the design of specified controls meets the relevant trust services categories at a point-in-time. Section’s SOC 2 Type II report did not have any noted exceptions and therefore was issued with a “clean” audit opinion from SSF.
We leverage Drata's compliance automation platform to continuously monitor and report on security controls across the organization, ensuring that we are always meeting and exceeding the most up-to-date and highest security standards.
PCI DSS COMPLIANCE
Section is a certified PCI DSS Level 1 Service Provider. Section utilizes Tevora a Qualified Security Assessor (QSA) to conduct an annual compliance audit and provide a PCI DSS Attestation of Compliance (AOC). Developed by the Payment Card Industry Security Standards Council, the PCI DSS standard was created to increase controls around cardholder data and to reduce credit card fraud. The AOC report describes a service organization’s systems and whether the design of specified controls protect cardholder data. An annual AOC is important to Section because it is an independent assessment that assures customers that Section meets all of our PCI compliance requirements. If you wish to receive a copy of Sections AOC please work with your sales representative. Section requires an NDA signed by senior management to receive a copy of our AOC.
CORPORATE GOVERNANCE
Policies. The Section security policies and procedures are focused on preserving security in our systems, processes, and practices.
Information Security Team. Our security team works across the entire business to secure and protect any sensitive information related to the Section service. This team also formally reviews policies and procedures.
Risk Management. Section undertakes risk assessment practices to understand, prevent and manage and information security risks.
PEOPLE
Employee Screening. Section screens new employees before they join the Section team and these screening activities may include criminal background and reference checks.
Confidentiality. Section employees are required to agree to protect and preserve any information they may view, process, or transmit as part of their job functions where that information may be deemed sensitive.
Security Training. Section trains our team to protect sensitive information and the devices they use. This training will include new hire awareness training and annual or ad-hoc training as required.
DATA PRIVACY
Privacy Policy. The Section privacy policy describes how Section will collect, use, and protect the customer information where customer may use or interact with Section websites or configuring services in the Section Console.
Personal Data Transfer. See our terms of service for additional information about regarding processing of personal data. The Section services by default do not process personal data.
CHANGE MANAGEMENT
Change Processes. Section follows a procedural process when developing and deploying changes to technologies. Changes considered include systems and software which form the Section service
Change Testing. During the stages of development, Section will test changes. In advance of moving a proposed change to a production system, Section's team will confirm tests are successful.
Change Notification. Section prepare change notices to maintain awareness among the team. These notices are reviewed and approved by relevant team members involved with system management.
Change Review. Following the introduction of changes to the production systems, Section review and agree changes have been successful.
ACCESS MANAGEMENT
Access Requests. Section documents requests for access to the Section systems. Our team responsible for security, will then approve and grant access only where appropriate.
Access Management. Section amend any employees' levels of access to the Section systems subject to any change in an employee's role and/or responsibilities at Section.
Access Review Process. Section reviews access levels across the team and systems to ensure the appropriate access to Section systems and data is maintained.
SYSTEM AUTHENTICATION AND ACCOUNT ACCESS
User Accounts and Privileges. Section assigns unique accounts per user to each user who needs to access Section systems so we can manage, understand and enforce user-level accountability.
User Roles and Access Privileges. Roles and access levels are assigned to users to restrict access per system to the level required for each individual users to conduct their responsibilities.
Two factor authentication. Section systems require two factor authentication.
APPLICATION SECURITY
Secure development practices and processes. Section trains our development and operations teams to prevent common vulnerabilities.
NETWORK AND INFRASTRUCTURE
Security Scans and Tests. Section performs vulnerability scans and security tests on the Section systems. Section considers and deals with the findings of these scans and tests in an appropriate way in order to assist with maintaining system security.
Standards for System Configuration. For maintenance of system security, Section has documented Standards for System Configuration which the team is required to follow. These standards cover a range of system configuration elements including (but not limited to) ports, services and protocols.
Security Patching. Section monitors lists of security vulnerabilities so that when new items are raised, those vulnerabilities can be addressed immediately. Patches and updates are applied subject to the time frame necessary for criticality of the vulnerability identified.
DATA ENCRYPTION
Encrypted Data Transmission. Section's platform supports TLS and will provide customers with a solution to encrypt connections to end users and to the customers' origin servers.
Encryption Keys. To maintain security of customer Encryption Keys, Section protects access to the encryption keys provisioned by Section customers.
CONTINUITY AND AVAILABILITY
Fail Over. Section's network is built to support fail over of traffic from any individual delivery node (PoP) within a network should that PoP become unavailable for any reason. In addition, Section can move customer data to alternate networks without any interruption should for some reason an individual network provided by Section become unresponsive.
Redundancy. Leveraging major cloud providers such as AWS and Azure, Section has multiple services and peering access points available to the Section networks.
Monitoring. Section's operations teams monitor a wide range of alerting interfaces to detect, monitor and understand degraded or otherwise detrimentally affected services 24x7x365.
Reporting. Section keep customers updated using real time alerting tools and methods (such as status.section.io). For specific customer issues, Section may contact a customer directly.
INCIDENTS
Response Plan. Section has a documented response plan to bring to bear in the case of an incident on the Section platform or systems. The plan is reviewed and updated subject to the changing nature of the Section platform and threat profile of the Internet. the plan include communication processes, systems and team management.
Notifications of Unauthorized Access. Section will notify customers who may be affected by any validated breach of the Section systems or any unauthorized disclosure of that customer's confidential information.
ANALYSIS, MONITORING AND DETECTION
Analysis. Section aggregate and securely store logs reflecting the activity on Section systems. Section monitor these logs to understand, alert, diagnose and manage security threats and or incidents.
Monitoring. Section use a number of systems to track system changes and ensure accountability and enforcement of the Section security standards.
Detection. Section has systems to help surface potential threats, incidents and intrusions. The Section team will be alerted to anomalies in these detection systems.
CUSTOMER DATA
Cached Data. Temporarily cached data (what data, where and for how long) is managed by Section customers. From time to time, Section may directly manage these settings on behalf of the customer should the need arise per law as customers permit.
IP Addresses. Section may retain indefinitely any non-anonymized, non-aggregated client or subscriber IP addresses associated with suspicious activity that may pose a risk to the Section network or our customers, or that are associated with administrative connections to the Section service.
HTTP Requests. Customer and end-user content which passes through the Section network in response to requests launched by end-users creates data in the Section systems which Section use over time to monitor and manage the Section system reliability, availability, performance and security.
Physical Security. Section relies on major cloud infrastructure providers such as AWS and Azure which have the physical environment security which accompanies these standards.
Business Continuity. Section has deployed PoPs across a number of zones and networks and as such can seamlessly move customer traffic between nodes and/or networks without customer downtime.
QUESTIONS?
If you have any questions about security on the Section website, please email us at support@section.io.
Last updated: 28th June 2022