Styku Data Processing Agreement — Annex 2 Security Measures: Transmission, Incident Management, and Availability
Styku Data Processing Agreement — Annex 2 Security Measures: Transmission, Incident Management, and Availability
Summary
Styku requires HTTPS/TLS encryption for all data in transit and uses layered encryption for data at rest. Styku maintains a written Incident Response Plan, logs system activity extensively, and will notify customers of confirmed security incidents per the Agreement. Infrastructure is designed for high availability with at least 99.95% uptime targets, redundant data backups across multiple availability zones, and regularly tested disaster recovery plans.
Full Policy Text
c) Transmission Control
In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces and for free on every customer site hosted on the Styku products. Our HTTPS implementation uses industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We take a layered approach of at-rest encryption technologies to ensure Customer Data and Customer-identified Permitted Sensitive Data are appropriately encrypted.
d) Incident Management, Logging, and Monitoring
Incident Response Plan: We maintain a written Incident Response Plan, playbooks, and other necessary processes and procedures to fulfill the standards and obligations reflected therein.
Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.
e) Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation and air conditioning (HVAC) services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary instance. All databases are backed up and maintained using at least industry standard methods.
Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes. Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
Applies to: All Styku customers