This document sets forth Archipelago’s security principles and architecture with respect to the administrative, technical, and physical controls applicable to the Service. Capitalized terms in this attachment shall have the meaning assigned to them in the Agreement unless otherwise defined herein.
1. Principles. Archipelago emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect Customer Data; and (d) integrity to maintain the accuracy and consistency of data maintained in the Service.
2. Security Program. Archipelago maintains an information security program, which includes: (a) having a formal risk management program; (b) conducting periodic risk assessments of all systems and networks that process Customer Data on at least an annual basis; (c) monitoring for security incidents and maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities; (d) a written information security policy and incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Customer Data.
3. Data Centers. Archipelago uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification. For further details of these controls please visit: https://aws.amazon.com/compliance/data-center/controls/.
4. Access, Controls, and Policies. Access to manage Archipelago’s AWS environment requires multi-factor authentication, ssh access to the Service is logged, and access to Customer Data is restricted to a limited set of approved Archipelago personnel. All personnel with access to Customer Data have passed background checks. Personnel are trained on documented information security and privacy procedures. Access to Archipelago’s AWS environment must be requested with a valid business reason / job duty responsibility and subject to approval by authorized personnel. Access is promptly revoked upon termination of employment or change of duties.AWS networking features such as security groups are leveraged to restrict access to AWS instances and resources and are configured to restrict access using the principle of least privilege.For support and onboarding purposes, the Archipelago application implements a role-based access control model allowing varying levels of access and explicit grants of access to Customer Data for support and onboarding purposes. All access is logged.All Customer Data onboarding activity managed by Archipelago on the customer’s behalf is project managed and executed through an onboarding job application that allows an assigned data engineer to propose changes that are then reviewed and approved by a data manager before going live. An audit trail of changes is recorded.
5. Personal Data. Archipelago aims to capture the minimal personally identifiable information about its users in order to provide support for application functionality, analytics on application use, and communication. Archipelago utilizes a robust third party identity service, Auth0, for user authentication and profile services. User profile data is stored in our Auth0 tenant instance. Privileged application roles are recorded in the Archipelago database by email. Auth0 provides a rich set of logging and user lifecycle capabilities such as automated and manual blocking.
6. Encryption. Customer Data remains encrypted at rest and the connection to platform.onrchipelago.com is encrypted with 256-bit encryption and supports TLS 1.2. Logins and sensitive data transfer are performed over encrypted protocols such as TLS or SSH. SSL certificates are automatically maintained and renewed using AWS Certificate Manager. Customer Data at rest is stored in encrypted S3 buckets. Database and S3 bucket encryption keys are managed via CMK KMS and set to automatically rotate on an annual basis.
7. Isolation / Separation. The Archipelago application follows standard multi-tier web application architecture with the main web application being delivered and executed within the user’s web browser. This connects to a load balanced API tier over SSL. The API tier connects to the data tier over SSL. The minimal access required between tiers is enforced utilizing standard AWS features. Code deployment and infrastructure management follows CI / CD best practices. All changes are peer reviewed and tested prior to code merge. The production release process is fully automated taking an existing certified build from the staging environment and deploying this to production after an approval action performed by authorized personnel.
8. Backup and Restoration. Archipelago takes daily snapshots of its databases and securely copies them to a private S3 bucket. Backups are encrypted and have the same protection in place as production. Additionally a warm standby database is maintained in a separate availability zone should the primary database or zone fail.
9. Vendor Management. Archipelago takes reasonable steps to select and retain only third-party service providers that will maintain and implement the security measures consistent with the measures stated herein. Before software is implemented or a software vendor can be used at Archipelago, Archipelago security carefully reviews the vendor’s security policies, certifications, protocols, and security track record. Archipelago security may reject use of any software or software vendor for failure to demonstrate the ability to sufficiently protect Archipelago’s data and Users.
10. Security Incident Response. Archipelago maintains an incident response plan designed to establish a reasonable and consistent response to security incidents and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to, proprietary data or personal data transmitted, stored, or otherwise processed by Archipelago.
11. Antivirus and Security Scans. Anti-virus or anti-malware applications have been installed to detect or prevent unauthorized or malicious software. Archipelago runs security scans on a regular basis. For virus monitoring, Archipelago automatically or manually updates most software it runs and outsources to Amazon when logical and possible. Archipelago maintains a vulnerability scanning process for production systems. The scope of vulnerability scans includes both external and internal systems in the production environment. Archipelago’s Security team performs vulnerability scans at least quarterly and determines a severity rating for each vulnerability based on the assessment tools criteria such that high or higher-level ranked vulnerabilities require remediation Vulnerability scans are also run after any significant change to the production environment as determined by the Archipelago security team. A third party penetration test is also run at least annually and vulnerabilities are resolved according to priority and severity.
12. Change Management. Archipelago has established a change management policy to ensure changes meet Archipelago's security, confidentiality, and availability requirements. Management reviews and approves the policy annually. Any change to production or IT configuration with unknown or foreseeable security consequences must be reviewed by the relevant teams holding the area of responsibility (“AoR”) prior to deployment.Archipelago reserves the right to update this document from time to time and modify its security practices, provided that such update or modification will not materially and adversely diminish the overall security of the Service during the customer’s Subscription Term.
Dated: December 10, 2021
