Effective: March 21, 2018
At Nextup we believe it keeping your data secure is one of our most important responsibilities. We're transparent about our security practices so you understand our approach.
Nextup's personnel practices apply to all members of the Nextup workforce (“workers”)—regular employees and independent contractors who have direct access to Nextup's internal information systems (“systems”) and / or unescorted access to Nextup's office space. All workers are required to understand and follow internal policies and standards.
Before gaining initial access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.
Upon termination of work at Nextup, all access to Nextup systems is removed immediately.
Security and privacy training
During their tenure, all workers are required to complete a refresh of privacy and security training at least annually. They are also required to acknowledge that they’ve read and will follow information security policies at least annually. Workers are required to report security and privacy issues to appropriate internal teams. Workers are informed that failure to comply with acknowledged policies may result in consequences, up to and including termination.
Policies and standards
We maintain a set of policies, standards, procedures and guidelines (“security documents”) that govern our activities. Our security documents help ensure that our customers can rely on our workers to behave ethically and for our service to operate securely. Security documents include, but are not limited to:
- Fair, ethical, and legal standards of business conduct
- Acceptable uses of information systems
- Planning for business continuity and disaster recovery
- Classification of security incidents
- Control of changes
- Security development life cycle process
- Description, schedule, and requirements for retention of security records
We update these documents as needed and at least annually to ensure they are accurate.
We adhere to the principal of least privilege. Our team are only authorized to access data that is required to handle in order to fulfill their current job responsibilities. All systems require users to authenticate and users are granted user specific credentials. Systems access for all employees are reviewed at least quarterly to ensure the correct level of access.
We use 3rd parties and 3rd party tools to verify our secure systems. When we find issues our team works to resolve all critical vulnerabilities as quickly as possible.
We engage independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with management. We then review and prioritizes the reported findings and track them to resolution.
Secure by Design
We use a SDL (secure development life cycle) process to assess the security risk of each development project. During the design phase each project is assessed and classified utilizing OWASP 10 as High, Medium or Low risk. Based on the risk classification a set of requirements must be met before the project can be released to production.
All code is stored in a version-controlled repository with changes subject to peer review and continuous integration testing. Defects found in this process must be remediated prior to deployment.
Protecting Customer Data
The core of our security program is to prevent unauthorized access to customer data. We take extensive measures to ensure we identify and mitigate risks, implement best practices and evaluate how we can do better.
Nextup transmits data over public networks using strong encryption. We support the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by the clients. We also monitor the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients.
Data at rest in our production network is encrypted using AES256 encryption. This applies to all types of data at rest within our systems—relational databases, file stores, database backups, etc. Nextup stores encryption keys in a secure server on a segregated network with very limited access. Keys are never stored on the local filesystem, but are delivered at process start time and retained only in memory while in use.
The Nextup service is hosted in Amazon Web Services (AWS) data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment. These service providers are responsible for restricting physical access to Nextup’s systems to authorized personnel.
Nextup divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting our production application. Customer data submitted into our services is only permitted to exist in our production network, its most tightly controlled network. Administrative access to systems within the production network is limited to those engineers with a specific business need.
Network access to Nextup’s production environment from open, public networks (the internet) is restricted. Only a small number of production servers are accessible from the internet. Only those network protocols essential for delivery of service to its users are open at our perimeter. Changes to Nextup’s production network configuration are restricted to authorized personnel.
In Nextup’s hosted production environment, control of network devices is retained by the hosting provider. For that reason, Intrusion Detection / Intrusion Prevention (IDS/IPS) are performed using host-based controls.
We use multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, we use private keys for authentication. To connect with administrative access to production servers our team is required to connect using both an SSH key and a one-time password associated with a device-specific token.
Where passwords are used, multi-factor authentication is enabled. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).
Nextup allows personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.
Responding to security incidents
We established policies and procedures (also known as runbooks) for responding to potential security incidents. Nextup defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.
Data and media disposal
Customer data is removed immediately upon deletion or message retention expiration. Backups are destroyed within 14 days. We follow industry standards and advanced techniques for data destruction.
Nextup defines policies and standards requiring media be properly sanitized once it is no longer in use. Our hosting provider AWS is responsible for ensuring removal of data from disks before they are re-purposed.
All workstations are pre-configured for employees to meet our standards. The default configuration includes disk encryption, strong passwords and locking when idle. Employees are not permitted to download customer data from production systems to their local workstations.
Disaster Recovery and Business Continuity
Nextup utilizes the services provided by our hosting provider AWS to distribute our production environment. The distinct locations within the AWS network ensure protection from loss of connectivity, power and other possible location specific events. Full backups are stored in the AWS cloud in a highly redundant and available storage solution. Backups are created once per day.
We maintain a disaster recovery and business continuity plans providing our processes and procedures to follow in the event of a disaster. These plans are updated as needed and at a minimum of annually.