Data Security Standards

The following describes Toric Labs Inc (doing business as Datagrid), (“Datagrid”) security principles and architecture with respect to the administrative, technical, and physical controls applicable to the Service. Capitalized terms shall have the meaning assigned to them in the Agreement unless otherwise defined herein.

1. Principles

Datagrid emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect customer data; and (d) integrity to maintain the accuracy and consistency of data over its life cycle.

2. Data Encryption and Privacy

Datagrid is designed for privacy first. Customer Data is encrypted in transit and encrypted at rest (and remains encrypted at rest). The connection to app.Datagrid.com is encrypted with 256-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS.

3. Access, Controls, and Policies

Access to manage Datagrid’s AWS environment requires multi-factor authentication, with access to Customer Data restricted to a limited set of approved Datagrid employees. Server/Infrastructure management is performed via Infrastructure-as-code procedures, with changes reviewed, committed and tracked. When necessary, infrastructure access is done via role-based access control restricting access based on least privilege principles. AWS networking features such as security groups are leveraged to restrict access to AWS instances and resources and are configured to restrict access using the principle of least privilege. Access to Datagrid systems is promptly revoked upon termination of employment.

4. Data Centers

Datagrid uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases in both the United States and Canada. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.

5. Vendor Management

Datagrid takes reasonable steps to select and retain only third-party service providers that will maintain and implement security measures consistent with the measures stated in this attachment. Before software is implemented or a software vendor can be used at Datagrid, Datagrid IT carefully reviews the vendor’s security protocols, data retention policies, privacy policies, and security track record. IT may reject use of any software or software vendor for failure to demonstrate the ability to sufficiently protect Datagrid’s data and End Users.

6.Payment Processing

All payment-related services are provided by Stripe, certified to PCI DSS Level 1. Datagrid employees can not  access or store sensitive payment information.

7. Testing and Remediation

On a 3-month basis, Datagrid performs on its own an internal security audit to identify and prevent Customer Data loss and to assess the security, reliability, and integrity of the Service. To the extent Datagrid determines, in its sole discretion, that any remediation is required based on the results of such an audit, it will perform such remediation within a reasonable period of time taking into account the nature and severity of the identified issue.

8. Security Monitoring

Datagrid automatically or manually updates most software it runs and outsources to Amazon when logical and possible. Datagrid maintains a vulnerability scanning process for production systems. The scope of vulnerability scans includes both external and internal systems in the production environment. Datagrid’s engineering determines a severity rating for each vulnerability based on the assessment tools criteria such that high or higher-level ranked vulnerabilities require remediation. 

9. Backup and Restoration

Datagrid takes daily snapshots of its databases and securely copies them to a separate AWS availability zone for restoration purposes in the event of a regional AWS failure. Backups are encrypted and have the same protection in place as production. 

10. Change Management

Datagrid has established a change management policy to ensure changes meet Datagrid's security, confidentiality, and availability requirements. Any change to production or IT configuration with unknown or foreseeable security consequences must be reviewed by the relevant teams holding the area of responsibility prior to deployment. Changes are first tested against an extensive suite of automated tests, then deployed to development and staging environments for further validation, prior to deployment to the production environment.

11. Disaster Recovery and Business Continuity

Datagrid maintains a business continuity plan centered around ongoing data replication, hot-backups and Infrastructure-as-code in an effort to restore services to the widest extent possible in a reasonable time frame.  Infrastructure restoration is a mostly-automated process, with documented manual steps. In addition to daily backups offsite, realtime database snapshots are synchronized at 5 minute intervals, with a weekly database restoration process to ensure validity of the backed-up data.

Datagrid reserves the right to update these terms from time to time and modify its security practices, provided that such update or modification will not materially and adversely diminish the overall security of the Service during the applicable Subscription Term.