Last Modified: Oct 2019
Since its creation, Ethnio security procedures and policies have evolved according to industry best practices. This page is intended to give you an overview of Ethnio security processes, and addresses the security measures we’ve taken to protect each of those processes (such as secure data collection and disaster recovery). You can review our Service Agreement for details on Ethnio’s commitment. As with many SaaS providers, particularly in the UX research space, Customers own and control their data. Ethnio treats all customer data as highly confidential, and has never had a single security breach or unplanned outage in over five years of operation. We’re constantly evolving to meet the security needs of our platform and customer requirements, particularly the increased scrutiny our customers face in keeping data safe from malicious third parties. Ethnio intends to continue earning the trust of our customers through rigorous application, physical, and infrastructure security. One basic measure, our uptime percentage, has been 99.97% for over seven years: stats.ethn.io
Privacy information and policies are covered in detail here: ethn.io/privacy. You can also find more detailed information on Compliance, Agreements, and Data Handling in the document navigation on this page.
Compliance / Certifications / Audits
Ethnio stores all customer data in a TierPoint-managed SOC2 Type 2 accredited data center in Dallas, TX. Additionally, Ethnio is under engagement with A-LIGN for complete organizational SOC2 Type 1 & Type 2 certification with a target complete dates for both in 2020. We also complete yearly external Pen Tests and daily automated external vulnerability scans. This helps us get a handle on the number of security threats that continue to develop, and ensures that all users data is handled using the strictest guidelines.
Two Factor Authentication
As a security best practice, we follow password security best practices for all Ethnio users. As an additional layer of protection, we provide the ability to enable two-factor authentication. When enabled, all Ethnio team members must enter an authentication token from their mobile device prior to gaining access to Ethnio. Read more about 2FA here .
As an optional add-on to Ethnio Enterprise plans, we support SSO via SAML 2.0 and acts as a service provider (SP) for SSO. You must have a federation service that acts as an identity provider (IdP), but you almost definitely have that if you're interested in this whole setup. Ethnio supports all the most common IdPs: Okta, OneLogin, ADFS 2.0/3.0, PingFederate/PingOne, and Google SAML 2.0. Lots more on Ethnio SSO here .
Full User Access Control
Your research team has wildly varying roles in running studies, but not every team member needs full access to Ethnio. Coordinators and external contractors may only need permission for one study, while you might have several admins that need to access and manage studies for the whole team. Our access controls allow you define what users can see and do within your Ethnio account.
Policies & Procedues
At the top of this page, you’ll find links to summaries of Ethnio compliance, security, privacy, and governance documentation. This should give you an idea of the scope of Ethnio’s commitment to security best practices, but this is by no means exhaustive.
All vulnerabilities are classified by severity according to the level of risk they present to the confidentiality, integrity, and availability of the Ethnio Customer Terms & Conditions and user Data Processing. Vulnerabilities are remediated on a timeline commensurate with the severity:
- Serverity 1 - commence fix within two (2) hours
- Serverity 2 - commence fix within four (4) hours
- Serverity 3 - commence fix within six (6) hours
The Ethnio data center runs a Cisco networking environment. and is staffed 24x7 by technicians who perform all our remote work (e.g. changing drives, memory or swapping servers). It’s a SAS 70 Type II audited facility in a single-story, single-tenant building for enhanced control and security with every possible security measure imaginable from fingerpint scanned access to isolation of Ethnio hardware.
The application uses encrypted passwords in a POSTGRES database and does not give anyone access to passwords. There are no shared accounts, and Ethnio does not have access to login credentials for any users. We can reset passwords but that’s it.
Compliance with Security Standards
We have a formal process for ensuring compliance with security standards, including applying the latest patches to NginX, Ruby, MySQL, and Rails. We are fairly obsessed with making sure our servers always have the latest patches applied. Developers are also trained in security standards.
Security Incident Response
We provide a well-defined, organized approach for handling any potential threats to Data Processing. Ethnio’s first priority after recovery, especially with critical incidents, is remediation to achieve full threat eradication. The Security Incident Response Team will focus on immediately eliminating any attacker presence, blocking access, and closing all attack vectors. Read more in the Security Incident Response Plan.
Disaster Prevention & Recovery
Ethnio stores remote backups in different physical facilities, with UPS, generators, and real-time monitoring. All company information, design, and code management is stored redundantly across several locations, including the main data center on a Cisco networking environment. Ethnio’s Recovery Time Objective (RTO) is 24 hours to resume normal operations in the event of a disaster, with the goal of a full data restoration due to our robust data center security. Read more in the Disaster Recovery Plan.
Security issues or questions?
If you have any questions or want to discuss or report a vulnerability, or if you suspect someone has violated Ethnio terms, please contact the Ethnio Security Team at firstname.lastname@example.org