Security Policy

The success of any cloud is directly proportional to how well the cloud is protected against would-be hackers. When it comes to an enforceable transactions cloud, and cloud based contracts, the importance is paramount. ContractPal invests heavily in technology, people, and process to ensure data in ContractPal is safe, secure, and private. ContractPal's dedicated team of security professionals is responsible for designing in security from the onset, reviewing all design, code, and deployments to ensure they meet strict ContractPal security and data privacy standards.

Introduction

ContractPal is responsible for the safekeeping of data for the thousands of users of the ContractPal cloud. This responsibility is taken very seriously, and ContractPal goes to great lengths to earn and live up to the trust of its users. ContractPal recognizes that security is instrumental in maintaining user trust and strives to balance security with ease of use needs.

The ContractPal cloud benefits from extensive operational experience. ContractPal's products and services combine advanced technology solutions with industry–leading security practices to ensure enterprise and user data is secure. ContractPal invests heavily to ensure the most secure, reliable, easy-to-use environment for data and applications. In particular, ContractPal focuses on several aspects of security that are critical to business customers:

Organizational Security

The foundation of ContractPal's security strategy starts with its people and processes. Security is a combination of people, processes, and technology. Put together, the people, processes and technology result in safe and responsible computing. Security cannot successfully be validated as an afterthought. ContractPal employs dedicated security professional to develop, document, and implement comprehensive security policies.

Development Methodology

Security is one of the first considerations when making any changes to or enhancing the ContractPal cloud. ContractPal product and engineering teams receive extensive training in security fundamentals.

The ContractPal security team is involved in all stages of the product development lifecycle including design review, code audit, system and functional testing, and final launch approval. ContractPal uses a number of commercial and proprietary technologies and services to ensure that the ContractPal cloud is secure at every level. ContractPal's security team also ensures that secure development processes are followed to ensure enterprise and user safety.

Operational Security

ContractPal's security team also focuses on maintaining security of the operational systems including data handling and system management. ContractPal's security team routinely audit datacenter operations and conduct ongoing threat assessment detection against physical and logical assets.

ContractPal's security team also shoulders responsibility for ensuring that all employees are appropriately screened and trained to conduct their job in a professional and secure manner. As appropriate, ContractPal screens and verifies an individual's background prior to joining ContractPal or working on the ContractPal cloud. In addition, such employees are re-screened on an annual basis. All personnel responsible for maintaining security processes and procedures are thoroughly trained on the practices and continually updated on their training.

Security Community & Advisories

ContractPal also actively works with the security community, leveraging the collective wisdom of the world's best and brightest. This helps ContractPal keep ahead of security trends, and quickly react to emerging threats.

Hard as we try, unknown vulnerabilities can emerge. When they do, ContractPal's policies and personnel allow it to quickly respond to security alerts and vulnerabilities. The ContractPal Security team audits all infrastructure for potential vulnerabilities, and works directly with engineering to correct any known issue as soon as possible.

Data Security

ContractPal's security team is also responsible for maintaining the security of enterprise and user data. ContractPal's cloud and business is built on user and enterprise trust, and therefore this is one of the keys to continued success of ContractPal. All ContractPal employees are taught the value of responsibility to enterprises and end users. Protecting data is at the core of what ContractPal is all about.

Physical Security

ContractPal goes to great lengths to protect the data and intellectual property in the data centers where ContractPal runs. While ContractPal doesn't run these datacenters, ContractPal has carefully selected the datacenters based upon a number of factors, including security. The facilities of these datacenters are engineered not only for maximum efficiency, but also for security and reliability. Multiple levels of redundancy ensure ongoing operation and service availability in even the harshest and most extreme of circumstances. This includes multiple levels of redundancy within a center, generator-powered backup for ongoing operations, and redundancy across datacenters. State of the art controls are used to monitor the centers remotely, and automated failover systems are present to safeguard systems.

Logical Security

In web-based computing, the logical security of data and applications is as critical as physical security. ContractPal goes to extremes to ensure that applications are secure, that data is handled in a secure and responsible way, and that no external unauthorized access to enterprise or user data can be achieved. To achieve this goal, ContractPal uses a number of industry standard techniques as well as some unique, innovative approaches.

Much of ContractPal's technology is written to provide special purpose capabilities as opposed to general purpose computing. For example, ContractPal's distributed web rendering engine is specially designed and implemented by ContractPal to only expose the capabilities required for operation of ContractPal applications or Pals. Therefore, it is not as vulnerable to the wide range attacks as most commercial software.

ContractPal has also made modifications to core libraries for security purposes. Because the ContractPal cloud is dedicated rather than a general purpose computing system, a number of the services provided by the standard Linux operating system are limited or disabled. These modifications focus on enhancing the capabilities of the system needed for the task at hand and disabling or removing any exploitable aspects of the system that aren't required.

ContractPal's servers are also protected by multiple levels of firewalls to protect against attacks. Traffic is inspected as appropriate for attempted attacks, and any attempts are dealt with to protect enterprise and user data.

Information

Most data collected by ContractPal or by a ContractPal application or Pal is stored in an encrypted or encoded format optimized for security and performance, rather than stored in traditional file systems or databases. Data is dispersed across a number of physical and logical volumes for redundancy and expedient access, thereby obfuscating it from tampering. ContractPal's physical protections ensure that physical access to servers is impossible. All access to production systems is conducted by personnel using encrypted SSH (secure shell) or secure web systems. Specialized knowledge of the data structures and ContractPal’s proprietary infrastructure would be required to get meaningful access to end user data. This is one of many security layers to ensure security of sensitive data within ContractPal.

ContractPal's multi-tenant, distributed architecture is built to provide a higher level of security and reliability than a traditional single-tenant architecture. Individual user data is dispersed across a number of anonymous servers, clusters, and datacenters. This ensures that data is not only safe from potential loss, but also highly secure.

User and enterprise data is only accessible with appropriate credentials, minimizing the possibility of one customer having access to another customer's data without explicit knowledge of their login information.

Redundancy

The ContractPal cloud is designed for maximum reliability and uptime. ContractPal's grid-based computing cloud assumes ongoing hardware failure. Robust software and hardware redundancy withstands potential disruptions. All ContractPal systems are inherently redundant by design, and each subsystem is not dependent on any particular physical or logical server for ongoing operation.

Data maintained by ContractPal is replicated multiple times across ContractPal's clustered active servers, so, in the case of a machine failure, data will still be accessible through another system. In addition, enterprise and user data is replicated across datacenters. As a result, if an entire datacenter were to fail or be involved in a disaster, a second datacenter would be able to quickly take over and provide services to users.

Threat Evasion & Detection

ContractPal continually monitors its systems, servers and datacenters for security threats. Many systems are designed to dynamically respond to detected threats.

Conclusion

ContractPal provides a secure and reliable cloud for your data, providing the latest technologies and best practices for datacenter management, network application security, and data integrity. When you entrust your information to ContractPal, you can do so with confidence, knowing that the full weight of ContractPal's technology and infrastructure investment is brought to bear to ensure the security, privacy, and integrity of your data.

For more information about ContractPal's security, send an email to our security team at security@contractpal.com or send us your request by regular mail addressed to ContractPal, Inc., Attn: Information Security Officer, 387 south 520 West, Lindon, Utah 84042.