Starred Security and Data Protection
(Last updated: August 21st, 2020)
For Starred, data protection is a primary focus of our ISO 27001 compliant security efforts ensuring that we protect private and sensitive information processed by our application. This overview outlines Starred’s approach to security, and compliance, including details on technical and organizational measures regarding how Starred protects your data. While this doc should cover all your security-related questions, we’d be more than happy to provide more detail.
Just reach out to Customer Happiness through in-app chat.
Hardware and infrastructure
- AWS Geo-dispersed, ISO 27001-certified, and SOC-audited data centers, located across multiple regions in the EU: in Ireland (AWS: eu-west-1), in Frankfurt, Germany (AWS: eu-central-1), and in Paris, France (eu-west-3).
- Secure data replication and encrypted archival.
- Annual Business Continuity Planning (BCP) and Disaster Recovery (DR) testing.
- Professional, commercial-grade firewalls, border routers, and network management systems.
Systems and operations
- Centralized, logical access management system.
- Two-factor authentication, encrypted VPN access.
- Denial of Service (DDoS) mitigation.
- Active intrusion detection and prevention.
- Anti-malware software integration that automatically alerts Starred’s incident response team if potentially harmful code is detected.
- Third-party penetration testing.
Applications and Access
- Formal code reviews and vulnerability mitigation by third parties.
- Application-level Advanced Encryption Standard (AES) 256-bit encryption.
- Key management and encryption program.
- Malware protection.
- Configurable security features.
- Multi-factor authentication provides an additional level of assurance that only those authorized to access Starred can access.
- Role-based authorization enables you to designate access to specific individuals.
Transmission and Storage
- Data encrypted in accordance with industry best-practice standards. Starred supports full encryption in transit. No non-encrypted data leaves our data center. All our monitoring and backend systems either send local traffic over the VPC, or they use transport-level encryption when communicating with the rest of the internet. All data is encrypted at rest on our AWS EBS disks. Backups sent to our private S3 buckets are encrypted using 4,096 bit GPG keys.
- Access and transfer of data to/from Starred via HTTPS.
- Digital certificate technology.
- Customer-configurable data retention capability.
Information security at Starred is everyone’s job. We invest in training and awareness to ensure that information security stays top of mind for all of our employees.
- Starred conducts background checks for all prospective employees. Before they join our staff, Stared will verify an individual’s education and previous employment, and perform reference checks. The extent of these background checks is dependent on the desired position.
- Starred employs a Security Officer who is part of our software engineering and operations division. This professional is tasked with developing security review processes, building security infrastructure and implementing Starred’s security policies. Starred actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.
- All Starred employees undergo information security and privacy training as part of the onboarding process and receive ongoing training throughout their Starred careers, at least annually. During onboarding, new employees agree to our Code of Conduct, which highlights our commitment to keep customer information safe and secure.
- Training for engineers to ensure coding is done securely, with regular security audits of the code base.
Starred’s business processes, including internal policies, software development and application monitoring, take into consideration the security of our customer data.
- On-premise security policies, such as badge access, manned public entrances and physical access controls.
- Only a small group of Starred employees have access to customer data. For Starred employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.
- Active monitoring and alerting. Our infrastructure and services are monitored in a variety of ways, including: system and application metadata to a centralised logging service for analysis and alerting, tailored to our systems, AWS alerting of events such as instance scaling and spikes in traffic / changes in application performance, AWS Cloudwatch alerting for infrastructure and application level monitoring.
- Security reviews within the Starred Software Development Life Cycle (SDLC), including the planning, design, implementation testing, shipping and response phases.
- Formal code reviews and vulnerability mitigation by third parties for applications and access security.
- Annually reviewed Business Continuity Policy, and Disaster Recovery Plan.
- We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security officer logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority.
Starred’s secure application encompasses hardware and infrastructure, systems and operations, applications and access, and transmission and storage.
- Commercial-grade data centers across regions, so that critical customer data remain available in the event of any business disruption.
- Secure, near real-time data replication.
- Physically and logically separated networks for systems and operations. Currently we have networks for management, staging, and production. There are peering links between management and the other two, for the purposes of management services having access to those environments, but not between staging and production.
- We utilise EC2 Security Groups to control access between subnets, networks, and the internet. By default, no access between machines is given, ports are only opened between them when necessary.
- Our VPN is protected with multi factor authentication. The first (the “possession factor”) is a revocable certificate, attached to a username. The second is (the “knowledge factor”) is a (very) strong password for that certificate. And the third (the “inherence factor”) is an OTP token, regenerated every minute.
- Malware protection.
- Commercial-grade firewalls and border routers to resist/detect IP-based and denial-of-service attacks.
- Digital certificate technology.
- Two-factor encrypted VPN access.
The information below is provided to illustrate Starred’s engagement process for sub-processors, and to provide a subprocessor list. Starred uses certain sub-processors to support the delivery of the Starred services.
What is a sub-processor?
A sub-processor is a data processor who, on behalf of Starred, processes personal data.
Starred uses certain infrastructure sub-processors to host its applications and other service- specific sub-processors to provide specific functionality within the Starred services. Starred processes personal data in countries within the European Union whenever possible to keep data transfer to a minimum. If Starred processes personal data outside the European Union it is with due regard for the applicable privacy laws, which is governed by Standard Contractual Clauses (SCCs). The SCCs are a set of terms that have been approved by the European Commission which allow data to be safely transferred.
List of Sub-processors
Please find the list of sub-processors, their role and location of processing below.
- Amazon Web Service, Inc.
- The Rocket Science Group LLC d/b/a Mailchimp
Email service provider
- New Relic, Inc.
AI-Powered ELK as a Service
- Functional Software, Inc. (Sentry)
Application Error Tracking
- Domo, Inc.
Data Reporting and Visualization
Due diligence and safeguards
Starred uses commercially reasonable efforts to evaluate the data protection practices of sub-processors that may have access to or process personal data. Starred requires sub-processors to provide, at a minimum, the level of data protection required of Starred under applicable data protection laws and regulations, including, but not limited to, the requirements to:
Use commercially reasonable security measures in providing services to Starred to preserve the security, integrity, and confidentiality of personal data, and to protect against unauthorized access and anticipated threats or hazards to personal data;
Use personal data only for Starred to provide its services (including necessary sub-processor services), and not process personal data for any other purpose;
Handle and maintain personal data in compliance with all applicable data privacy and protection laws, rules, and regulations;
Comply with obligations as required by all applicable data privacy and protection laws, rules, and regulations;
Starred is certified at the highest level of global information security assurance available today, ISO 27001, which provides customers assurance that Starred meets stringent international standards on security.