Information Security Policy

How MarketSmart protects and secures your data

Physical Security & Disaster Recovery

MarketSmart’s services are hosted on Amazon Web Services, which enforces strong physical security practices at its datacenters (details of which can be found here). As described in AWS website, this includes, but is not limited to:

  • Nondescript, unmarked facilities;
  • Strict physical access controls, including security staff, video surveillance, intrusion detection, and two-factor authentication;
  • Logging and regular auditing of all employee access;
  • Fire detection and suppression equipment;
  • Fully redundant power supply, including the use of an Uninterruptible Power System and backup generators;
  • Precise climate and temperature controls;
  • Continuous monitoring and preventative maintenance of critical infrastructure;
  • Storage device decommissioning process using techniques detailed in the NIST 800-88 guidelines.

In addition to AWS’s physical security practices, MarketSmart also adheres to the following practices with regards to its physical headquarters and offices:

  • Nondescript, unmarked facilities;
  • Strict physical access controls, including security staff, video surveillance, and intrusion detection;
  • Fire detection and suppression equipment;
  • Logging and regular auditing of all employee access using an electronic access control system;
  • Visitor access logging.

Information and Data Security

  • MarketSmart’s information security policy is reviewed with all new employees and available to all employees via MarketSmart’s internal site;
  • Employees are made aware of any information security policy updates and other security-related process updates;
  • MarketSmart’s network and AWS instances are continuously monitored for malicious and unauthorized behavior;
  • MarketSmart’s codebase is continuously and automatically scanned for critical vulnerabilities and other security issues;
  • MarketSmart’s technical infrastructure is audited by a third party annually for HIPAA compliance along with biannual trainings.

Network Access

  • Access to internal MarketSmart services requires a connection to MarketSmart’s VPN;
  • All network traffic to MarketSmart services is encrypted via TLS;
  • Sensitive datastores are protected using Amazon’s Virtual Private Cloud service, which restricts ingress and egress to known subnets;
  • Access to production systems and other sensitive services is restricted to authorized employees only;
  • Access rights are regularly audited and revoked the day an employee or contractor separates from MarketSmart;
  • The minimal level of access to MarketSmart’s production systems required for the performance of an employee’s duties is enabled.

Accounts and Passwords

  • Employees are required to use a password manager for all internal and third-party user accounts and are encouraged to use strong, frequently changed, random, non-shared passwords;
  • Passwords to MarketSmart user accounts are salted and hashed using industry standard encryption algorithms before storage;
  • MarketSmart user sessions expire after a period of inactivity.

Certifications

Amazon Web Services maintains certifications and is audited regularly to maintain SOC 2 and ISO 27001 compliance, as well as other programs (see the full list here: https://aws.amazon.com/compliance).