Security

Collabushare Security Statement

All capitalized terms not defined in Security Statement will have the meanings given to them in the Software and Services Agreement.

Collabushare maintains Security Measures that includes administrative, technical and physical safeguards for protection of the security, confidentiality and integrity of Customer Data.  

Security Measures are designed to:

• protect the privacy, confidentiality, integrity, and availability of Customer Data in Collabushare’s possession or under its direct control;

• protect against anticipated threats to the confidentiality, integrity, and availability of Customer Data;

• protect against unauthorized or unlawful access, use, processing, disclosure, alteration or destruction of Customer Data;

• protect against accidental loss or destruction of Customer Data; and

• comply with applicable laws that are relevant to the handling, processing and use of Customer Data by Collabushare in accordance with the Agreement.

Collabushare will use commercially reasonable efforts to engage third parties to whom Collabushare provides Customer Data that implement and maintain security measures that Collabushare reasonably believes are at least as protective as those described in this Security Statement.

For third parties, such as its hosting provider, who store, control, process or manage Customer Data, Collabushare is responsible for assessing their control environments to determine that security measures and controls designed to meet the above objectives are in place. 

Without limiting the foregoing, Collabushare’s Security Measures includes the following as more particularly described below:

• Multifactor authentication

• Inactivity time-out

• Encrypted third-party access

• SSL AES 256-bit encryption

• Software and Customer Data hosted on Amazon Web Services  

1. Data Hosting, Storage and Backups.

Collabushare servers are located in Amazon Web Services (AWS) Virginia (US) datacenter.  AWS engages qualified third-party auditors to conduct regular service organization controls audits conducted under Statement on Standards for Attestation Engagements (SSAE) 16 (or alternative industry standard) in relation to the data centre service locations from which it provides services and produces and makes available to customers a Service Organization Controls 1, Type 2 report (“SOC 1 Report”) and Service Organization Controls 2, Type 2 report (“SOC 2 Report”).

All data is written to multiple disks instantly, backed up daily, and stored in multiple availability zones. Files that Collabushare customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure. Our software infrastructure is updated regularly with the latest security patches.

2. Encryption at Rest and In-Transit.

Over public networks we send data using strong encryption. Collabushare utilizes SSL certificates issued by Heroku. Encryption-at-rest of databases is achieved using AWS’ transparent disk encryption, which includes industry standard AES-256 encryption to secure all volume (disk) data.  All keys are fully managed by AWS. Backups are stored on Amazon S3 and encryption is performed via server-side encryption.  Files uploaded to Collabushare are stored in private S3 buckets that require a one-time use, time-limited tokens for access.

 3. Physical Security.

Our application and data servers are located in AWS's Virginia datacenter. More information about their controls, including physical security, can be found here.

 4. Risk Assessments.

Collabushare undertakes risk assessments which are internal to Collabushare and will not be provided to Customer.

 (a)               Risk Assessment – Collabushare will perform risk assessments annually that are designed to identify material threats (both internal and external), the likelihood of those threats occurring and the impact of those threats upon Collabushare to evaluate and analyze the appropriate level of information security safeguards (“Risk Assessments”).

 (b)               Risk Mitigation - Collabushare will use commercially reasonable efforts to manage, control and remediate any threats identified in the Risk Assessments that are likely to result in material unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of Customer Data, consistent with the objective of its Security Measures, and commensurate with the sensitivity of the Customer Data.

 (c)               Vulnerability Management Program – Collabushare maintains a vulnerability management program that includes processes for: being made aware of newly announced vulnerabilities; discovering vulnerabilities within the infrastructure and applications; risk rating vulnerabilities consistent with industry standards; and defining timeframes for remediating vulnerabilities (other than medium or low risk vulnerabilities) consistent with industry standards and taking into account any mitigation efforts taken by Collabushare with respect to such vulnerabilities.

5. Organizational Security.

 (a)               Responsibility – Collabushare assigns responsibility for information security management to a senior security official.

 (b)               Access – Collabushare has controls designed to permit only those personnel performing roles supporting the provision of services under this Agreement to access Customer Data.

 (c)               Confidentiality - Collabushare personnel who have accessed or otherwise been made known of Customer Data will maintain the confidentiality of such information in accordance with the terms of this Agreement.

 (d)               Training – Collabushare will provide information security training to its personnel on approximately an annual basis.

 (e)               Screening – Collabushare employees who access Collabushare’s networks or systems are subject to certain background checks conducted by Collabushare or its agents. If any person does not meet the requirements of such Collabushare checks, such person may not be permitted to be employed by Collabushare or have access to Collabushare’s networks or systems where access to Customer Data is provided.

6. Physical Security.

 (a)               Securing Physical Facilities – Collabushare will maintain systems located in Collabushare facilities that host Customer Data or provide services under this Agreement in environments that are designed to be physically secure and to allow access only to authorized individuals.

 (b)               Physical Security of Media – Collabushare will implement controls, consistent with applicable prevailing industry practices and standards, that are designed to deter the unauthorized viewing, copying, alteration or removal of any media containing Customer Data. Removable media on which Customer Data is stored (including thumb drives, CDs, and DVDs, and PDAS) by Collabushare must be encrypted using at least 256-bit AES (or equivalent).

 (c)               Secure Disposal – Collabushare will implement policies and procedures regarding the secure disposal of tangible property (including paper waste and removable media) (such as discs, USB drives, DVDs, back-up tapes, laptops and PDAs) containing Customer Data or use commercially reasonable efforts to render Customer Data on such property unintelligible.

7. Operations Management.

 (a)               Network Penetration Testing - Collabushare will, on approximately an annual basis but in no event less frequently than every eighteen (18) months, contract with an independent third party to conduct a network penetration test on its network having access to or holding or containing Customer Data. If penetration testing reveals material deficiencies or vulnerabilities, the findings will be risk rated consistent with industry standards and timeframes will be defined for remediating vulnerabilities (other than medium or low risk vulnerabilities) consistent with industry standards and taking into account any mitigation efforts taken by Collabushare with respect to such vulnerabilities

 (b)               Data Protection During Transmission - Collabushare will encrypt, using an industry recognized encryption algorithm, Customer Data that includes Personal Information when in transit across public networks.

 8. Access Controls.

 (a)               Authorized Access - Collabushare will have controls that are designed to maintain the logical separation such that access to systems hosting Customer Data and/or being used to provide services to the Customer will grant access only to authorized personnel based on the principle of least privileges.

 (b)               User Access - Collabushare will have a process to promptly disable access to Customer Data by any Collabushare personnel who no longer requires such access.

 (c)               Authentication Credential Management – Collabushare requires its personnel and any personnel of its delegates or other third parties that have access to Collabushare’s networks or systems to maintain the confidentiality of system passwords, keys, and passcodes.

 (d)               Multi-Factor Authentication for Remote Access – Collabushare will use multi factor authentication and a secure tunnel, or another strong authentication mechanism, when remotely accessing Collabushare’s internal network.

9. Use of Laptop and Mobile Devices in connection with this Agreement.

 (a)               Encryption Requirements - Collabushare will encrypt any laptops or mobile devices (e.g., tablets and smartphones) containing Customer Data used by Collabushare’s personnel using an industry recognized encryption algorithm with at least 256-bit encryption AES (or equivalent).

 (b)               Secure Storage – Collabushare will require that all laptops and mobile devices be securely stored whenever out of the Collabushare personnel’s immediate possession.

 (c)               Inactivity Timeout – Collabushare will employ access and password controls as well as inactivity timeouts of no longer than 30 minutes on laptops, desktops and mobile devices managed by Collabushare and used by Collabushare’s personnel.

 (d)               Remote Management – Collabushare will maintain the ability to remotely remove Customer Data promptly from mobile devices managed by Collabushare. Collabushare has policies requiring personnel to maintain the security of devices managed by Collabushare.

10. Information Systems Acquisition Development and Maintenance.

 (a)               Customer Data – Customer Data will only be used by Collabushare for the purposes specified in the Software and Services Agreement.

 (b)               Malicious Code – Collabushare will maintain a malware protection program designed to identify, detect, protect, respond and recover from malware infections, malicious code and unauthorized execution of code within the Collabushare environment.

 (c)               Change Control – Collabushare implements and maintains change control procedures to manage changes to information systems, applications, supporting infrastructure and databases. Such procedures include: a process for documenting, testing and approving changes prior to implementation, which may include relevant security controls, as determined by Collabushare on a risk basis and taking into account the type and/or impact of the change and the infrastructure and/or network components in place with respect to such change.

11. Security Incident Management.

 (a)               Investigation and Mitigation – Collabushare will use commercially reasonable efforts to investigate, remediate and mitigate Security Incidents.

 (b)               Notification – Collabushare will notify the Customer within 24 hours after it has become aware of the occurrence of a Security Incident unless otherwise prohibited by Applicable Law. In such an event, and unless prohibited by Applicable Law, Collabushare will provide information, to the extent available to Collabushare, sufficient to provide a reasonable description of the general circumstances and extent of the Security Incident and such other available information as Customer may reasonably request, and will provide reasonable cooperation to the Customer:

 i.                  in the investigation of any such unauthorized access; and

ii.                 in the Customer’s efforts to comply with statutory notice or other Applicable Laws applicable to Customer or its customers.

 For the avoidance of doubt, Collabushare will not be required to disclose information that Collabushare reasonably determines would compromise the security of Collabushare’s platform or premises or that would impact other Collabushare customers.

12. Program Adjustments.  Collabushare monitors, evaluates and adjusts the Security Measures, as it determines is necessary, in view of: (a) continuously evolving security threats; (b) changes in technology; (c) security and data privacy regulations applicable to Collabushare; (and d) Collabushare’s own changing business arrangements; provided that updates and changes to its Security Measures and controls will not materially reduce its protection of Customer Data.

13. Payment Security. All payments are handled by a third-party payment processor, Stripe. Customer payment information is sent directly to Stripe and never stored on Collabushare servers. All payment requests bypass Collabushare servers completely ensuring sensitive payment information also does not appear in Collabushare logs. For more information about Stripe’s security controls, you can visit their security page.

14. Notification. Any security concerns or vulnerabilities discovered in the Collabushare platform or hosted services can be disclosed by emailing support@collabushare.com