The purpose of these Security and Privacy Practices is to set out Blue State Digital’s security and data privacy practices including the handling of confidential, proprietary, sensitive and critical information. The practices apply to all Blue State Digital business units, wherever they are located in the world.
1.1 Physical Access Controls at Blue State Digital Locations. Blue State Digital operates an access control system at each of its offices (e.g. swipe cards, combination door locks, lock & key) to ensure that only authorized persons are able to enter the premises. Office management maintains records of persons entering Blue State Digital sites. Visitors to any Blue State Digital site are escorted at all times when in areas where there is confidential data.
1.2 Physical Access Controls at Non-Blue State Digital Locations. Blue State Digital relies on third-party subcontractors to process and warehouse data for its BSD Toolset and CallOut applications, and for other purposes.
The BSD Toolset and CallOut applications are hosted in the us-east-1, us-west-2, and eu-west-1 regions of Amazon Web Services. Amazon Web Services is the most widely-deployed cloud vendor and is ISO 27017 and SOC 3 certified. More details about Amazon’s environment can be found at https://aws.amazon.com/security/
Mass email messages delivered by the BSD Toolset are processed by infrastructure based at an Internap colocation facility near Boston. Internap is a highly-rated vendor with top-tier security, physical systems redundancy, and network connectivity standards. The Internap facility is SOC Type II certified. More information can be found at: http://www.internap.com/data-centers/colocation/secure-data-center/
2.1 Access to Networked Systems and Applications. Access to all Blue State Digital systems and applications is provided to staff based on their need, their role in the company, and the department or team in which they work. Blue State Digital staff do not have unrestricted access to all Blue State Digital systems or applications except in the case of certain IT and systems administrators where it is required as part of their role.
2.2 Monitoring, Vulnerabilities & Intrusion Detection. Blue State Digital employs third-party software to automatically monitor its environments for vulnerabilities, viruses, and intrusion. A Blue State Digital systems administrator and software engineer are on call 24/7 to monitor Blue State Digital’s infrastructure for stability and security around the clock. Additionally, Blue State Digital staff performs review of critical network access points and internal systems that store confidential, proprietary, sensitive, or critical information for vulnerability on a regular basis. Blue State Digital follows a procedure of daily, weekly, or monthly checklists and log analysis to validate compliance with operational policies and confirm the operability of backup and monitoring systems.
Blue State Digital disposes of financial data (such as credit card numbers) after transactions are processed, is a PCI DSS-compliant Level 1 Service Provider, and develops software in accordance with the OWASP Top 10 guidelines for web application security. All contribution transactions use SSL encryption, and electronic interactions with payment gateways and other exchanges of sensitive constituent information are always encrypted. In accordance with BSD’s PCI-DSS compliance, Blue State Digital does not retain credit card numbers after transactions have been completed.
3.1 Secure Data Backup & Recovery. Backup data for the BSD Toolset and CallOut is stored off-site as part of Blue State Digital’s Amazon Web Services environment. Client data is automatically backed up at hourly intervals, allowing for the prompt restoration of data in the event of a failure or other incidents. Logs may be used to augment these backups, making Blue State Digital capable of point-in-time recovery.
4.1 Training. All Blue State Digital staff are briefed on these practices as part of the new hire orientation process and on a regular basis during the term of their employment.
4.2 Outgoing Staff: Whenever a member of Blue State Digital staff or an independent contractor leaves Blue State Digital, physical security access is removed and/or deactivated. In cases where a member of Blue State Digital staff is serving their notice to leave, the physical security access rights for that individual are reviewed by an appropriate member of senior management to ensure that any access permitted during the notice period adequately protects Blue State Digital and Blue State Digital client information.
Additionally, whenever a member of Blue State Digital staff or an independent contractor leaves the organization, their account is disabled but (where possible) not deleted and/or purged. Where possible, data from outgoing staff accounts is stored for a minimum 12 month period.
5.1 Client data. Blue State Digital protects the privacy of user information stored on its servers. Clients maintain ownership of user data collected through the BSD Toolset and CallOut applications. Each client database is kept logically separate from other client databases to prevent one client from ever accessing another client’s data. Blue State Digital never distributes user information without the express permission of the user or the client (or a court order compelling BSD to do so).
Additional terms, conditions, and service level agreements may be found in applicable customer agreements.
Didn't find the answer you were looking for?
Email us at firstname.lastname@example.org