Security

Summary

Ethnio is a hosted SaaS that allows our customers to create recruiting screeners, similar to web surveys. Our customers use our service to post Recruiting Screeners on a website, or send links to those screeners via email or other methods. We have no control over how Ethnio customers use the personal data submitted by users to their recruiting screeners, except if they violate the Ethnio Customer Terms & Conditions, which state that they should only be using recruiting screeners for purposed related to usability or ethnographic research. If you suspect someone has violated these terms, please contact us. Screener Respondents may have any relationship to our customers, and Ethnio only acts as a Data Processor (a company that processes Personally Identifiable Information on behalf of a Data Controller) so that each Ethnio Customer acts as a Data Controller (a company that determines the purposes for which and the means by which the Personally Identifiable Information is processed). To process information means to carry out an operation or set of operations on the information, such as collecting, recording, storing, disclosing, or organizing it. Information that Screener Respondents provide to Ethnio Customers passes through our service and resides on our servers, in the most secure manner adhering to industry guidelines. That information may be stored and processed in the United States or any other country in which Ethnio or its affiliates, subsidiaries or agents maintain facilities. The full list of privacy terms can be found here: ethn.io/privacy

Physical Security

The Ethnio data center runs a Cisco networking environment. and is staffed 24x7 by technicians who perform all our remote work (e.g. changing drives, memory or swapping servers). It’s a SAS 70 Type II audited facility in a single-story, single-tenant building for enhanced control and security.

• Multiple layers of security & authentication; including card key, PIN, & biometric required for facility entrance
• Intrusion detection systems to prevent unauthorized electronic access
• Firewall management and monitoring services
• Full CCTV surveillance backed by digital recording on file for 90 days
• Remote hands to perform tape rotations and hardware swaps
• Constant management of all environmental systems (power, HVAC, fire, security and IDS)
• Remote monitoring of client equipment
• Locking cabinets and/or cages, Colo4 retains all keys
• Motion detection for lighting
• 30 inch raised floors
• 300 lbs/sq ft floor load
• Redundant HVAC with Liebert air handlers
• Each CRAC unit supported by independent roof mounted condenser
• Wind roof rating FM-90
• 11.1 MW of utility power
• 250 watts/sq ft
• Four (4) autonomous N+1 power plants delivering true A & B power supply
• Four (4) backup diesel generators on standby
• Generators tested bi-weekly and routinely run at full load
• Cabinet laid out for optimum airflow - hot and cold aisles separate exhaust and intake
• Solid cabling routed neatly overhead
• Ambient temperature of 70 degrees
• Pre-action dry pipe fire suppression
• Integrated smoke/heat detector system

Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are able to login. We consider any system which houses customer data that we collect, or systems which house the data customers store with us to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored. Additionally, hard drives and infrastructure are securely erased before being decommissioned or reused to ensure that your data remains secure.

Application Security

The application uses encrypted passwords in a POSTGRES database and does not give anyone access to passwords. There are no shared accounts, and Ethnio does not have access to login credentials for any users. We can reset passwords but that’s it.

Code Review

Since we’re such a small team, all code is reviewed by pretty much everybody. With two developers there is no chance for any code to make it into the application that is not authorized.

Compliance with Security Standards

We have a formal process for ensuring compliance with security standards, including applying the latest patches to NginX, Ruby, MySQL, and Rails. We are fairly obsessed with making sure our servers always have the latest patches applied. Developers are trained in security standards as much as possible, and we retain the services of Altoros to assist with that as well.

Access Logging

Systems controlling the management network at Ethnio log to our centralized logging environment to allow for performance and security monitoring. Our logging includes system actions as well as the logins and commands issued by our system administrators.

Security Monitoring

Ethnio's Security team utilizes monitoring and analytics capabilities to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident reporting and response procedures.

Breach Notification

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Ethnio learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.

Information Security Aspects of Business Continuity Management

Ethnio’s databases are backed up on a rotating basis of full and incremental backups and verified regularly. Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity and are tested regularly to ensure availability.

Your Responsibilities

Keeping your data secure also requires that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems. We offer TLS to secure the transmission of screener responses, but you are responsible for ensuring that your screeners are configured to use that feature where appropriate.

Automated Security Scans

We currently run several automated security scanning tools, and run reports at least once per quarter, but often more frequently than that, especially if we’re deploying major features.

External Penetration Tests

We hire an outside firm to run official penetration tests. Most recently, that was Include Security, but we can use another vendor by customer request.