Last Updated: January 2023
Policy Overview
PowerReviews is committed to helping protect the security of data stored on, redirected through or processed by the PowerReviews technology platform. Following a NIST based framework, PowerReviews has implemented all necessary or appropriate technical and organizational measures taking into account the nature, scope, context and purpose of the processing services provided by PowerReviews to PowerReviews' Clients, as well as the nature and volume of personal data processed by PowerReviews, in order to provide a level of security appropriate to the risk presented by the provision of the PowerReviews services (the "Services"). These measures described herein, are designed to protect the integrity, availability, resilience, confidentiality and security of personal data, and to protect against accidental or unlawful destruction, damage or loss, or unauthorized disclosure of access.
PowerReviews may update or modify these Technical and Organizational Measures from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services provided.
1. Data Center
Infrastructure: PowerReviews stores all production data in physically secure data centers operated by Amazon Web Services (“AWS”). AWS maintains several compliance certifications covering their operations. These can be viewed at https://aws.amazon.com/compliance/programs/
Redundancy: Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Most Services are designed to allow PowerReviews to perform certain types of preventative and corrective maintenance without interruption. Preventative and corrective maintenance of the Services is scheduled through a standard change process according to documented procedures.
Power: The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations.
Server Operating Systems: Certain PowerReviews servers use a Linux based implementation customized for the application environment.
Business Continuity: PowerReviews replicates data over multiple systems to help to protect against accidental destruction or loss. PowerReviews has created business continuity planning and disaster recovery programs.
2. Networks & Transmission
Data Transmission: Data centers are typically connected via virtual private networks. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer. PowerReviews transfers data via Internet standard protocols.
External Attack Surface: PowerReviews employs multiple layers to protect its external attack surface. PowerReviews considers potential attack vectors and incorporates appropriate purpose built technologies into external facing systems.
Encryption Technologies: PowerReviews makes HTTPS encryption (also referred to as SSL or TLS connection) available using a minimum of TLS 1.2.
3. Access Controls
Infrastructure Security Personnel: PowerReviews has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. PowerReviews operations personnel are responsible for the ongoing monitoring of PowerReviews security, the review of the Services, and responding to incidents.
Access Control and Privilege Management: The data controller’s/PowerReviews' Client's administrators must authenticate themselves in order to administer the PowerReviews Services.
Internal Data Access Processes and Policies – Access Policy: PowerReviews internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. PowerReviews designs its systems to: (i) only allow authorized persons to access data they are authorized to access; and (ii) ensure that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording. The systems are designed to detect any inappropriate access. These mechanisms are designed to grant only approved access rights to site hosts, logs, data and configuration information. PowerReviews requires the use of unique user IDs, strong passwords, two factor authentication and carefully monitored access lists to minimize the potential for unauthorized account use. The granting or modification of access rights is based on: the authorized personnel job responsibilities; job duty requirements necessary to perform authorized tasks; and a need to know basis. The granting or modification of access rights must also be in accordance with PowerReviews internal data access policies and training. Approvals are managed by workflow tools that maintain audit records of all changes. Access to systems is logged to create an audit trail for accountability. Where passwords are employed for authentication, password policies that follow at least industry standard practices are implemented. These standards include password expiry, restrictions on password reuse and sufficient password strength.
4. Data Storage and Isolation
PowerReviews stores data in a multi-tenant environment: PowerReviews logically isolates the data controller’s data, and the data controller/PowerReviews Client will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable the data controller/PowerReviews Client to determine the product sharing settings applicable to end users for specific purposes.
5. Personnel Security
PowerReviews personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. PowerReviews conducts reasonably appropriate background checks on all employees.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, PowerReviews confidentiality and privacy policies. Personnel are provided with security training. PowerReviews personnel will not process customer data without written authorization.
6. Security by Design
PowerReviews platform and software code have been designed with the security of the PowerReviews' Client's data in mind. PowerReviews employs a code review process to increase the security of the code used to provide the Services and enhance the security posture in production environments.
7. Sub-processors
Prior to onboarding Sub-processors, PowerReviews conducts a review of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once PowerReviews has assessed the risks presented by the Sub-processor, the Sub-processor is required to enter into appropriate security, confidentiality and privacy contract terms. A list of current Sub-processors can be found at: https://www.powerreviews.com/sub-processor-list/
8. Vulnerability Management
PowerReviews conducts regular assessments on critical systems with the intent of finding system and application vulnerabilities.
9. Breach Detection and Response
PowerReviews uses a managed solution for safeguarding applications running on our platform and a threat detection service that continuously monitors for malicious activity and unauthorized behavior. PowerReviews also log access requests and usage of the platform to further facilitate security incident monitoring and response.
In the event that a security incident is detected, PowerReviews will act promptly to identify, contain, mitigate, and remediate the incident. All constituents will be promptly notified in accordance with law and applicable agreement(s).
10. Audit
PowerReviews maintains a NIST based information security management system with controls that are audited internally and externally on a regular basis.