Data Protection
Data Protection
Data Protection
LAST UPDATED: 03/01/2023
Polyloop maintains organisational and technical measures (“Security Practices”) to protect information you provide to us (“Customer Information”) from loss, misuse, and unauthorised access or disclosure. These measures take into account the sensitivity of the information Polyloop collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing Polyloop engages in.
Where used in this Security Practices document, “Polyloop Services” means the Self-Serve Services or Enterprise Services, as applicable and as defined in the terms applicable to your access to and use of the Polyloop Services (the “Agreement”). Capitalised terms not defined in this document have the meanings given to them in the Agreement.
The Security Practices include:
1. Assigned Security Responsibility.
Polyloop has a designated security official and security team responsible for overseeing the development, implementation, and maintenance of its Security Practices.
2. Personnel Practices.
All of Polyloop’s employees:
are bound by Polyloop policies regarding the confidential treatment of Customer Content
receive security and privacy training during onboarding and on an ongoing basis at least annually thereafter, and supervision at a level and substance that is appropriate to their position
are required to read and sign information security policies covering the confidentiality, integrity, availability and resilience of the systems and services Polyloop uses in the delivery of the Polyloop Services.
Polyloop maintains appropriate controls to restrict its employees’ access to the Customer Content that you and your Authorised Users make available via the Polyloop Services, and to prevent access to Customer Content by anyone who should not have access to it.
Polyloop conducts appropriate pre-employment screening commensurate with the sensitivity of a role, which may include criminal background checks for particularly sensitive positions, where permissible by law.
3. Compliance and Testing.
Polyloop’s security-related audits, certifications, and testing include:
a. Service Organisation Control (SOC) Reports: Polyloop undergoes a SOC 2 Type II and Type III audit annually which is performed by an independent third party auditor. A copy of Polyloop’s most recent report is available upon request for existing Enterprise customers or for prospective Enterprise customers who agree to hold the report in confidence under a Polyloop form of non-disclosure agreement.
b. PCI DSS: When payments are processed via credit card, Polyloop uses third-party vendors that are PCI DSS compliant. At no point does Polyloop store, transmit, or process your credit card information; Polyloop simply stores anonymous tokens that identify the applicable processed transactions.
c. FedRAMP Authorisation: Polyloop is authorised for use under the U.S. government’s Federal Risk and Authorisation Management Program (), a certification process that is audited against the NIST SP 800-53 standard.
d. Penetration Testing: Polyloop’s product platform (both web and mobile) is subjected to annual penetration testing performed by an independent third party.
4. Access Controls.
Polyloop has and will maintain appropriate access controls, including:
a. Policies and procedures that address onboarding, off-boarding, transition between roles, regular access reviews, limitations and usage control of administrator privileges, and inactivity timeouts;
b. Segregation of conflicting duties and areas of responsibility;
c. Maintaining current and accurate inventories of computer and user accounts;
d. Enforcing the principles of “least privilege” and “need to know”;
e. Reviewing user access rights on a regular basis to identify excessive privileges;
f. Enforcing a limit of login attempts and concurrent sessions; and
g. Password requirements that include a defined minimum complexity, password changes after the first login, and subsequent changes at predetermined intervals with limits on reuse.
5. Multi-Factor Authentication.
a. Access to the systems used by Polyloop employees and contract personnel is controlled by multi-factor authentication. This means that all Polyloop employees and contractors are required to provide proof of their identity, in addition to the provision of any password, in order to gain access to any system used in the provision of the Polyloop Services.
b. Polyloop also makes available multi-factor authentication capability for its Customers and their Authorised Users in respect of their use of the Polyloop Services (as a tool for their use in maintaining the security of their accounts).
6. Single Sign-On.
a. Polyloop has implemented single sign-on (SSO) company-wide to ensure greater and more centralised access control to the systems used by Polyloop employees and contract personnel.
b. Polyloop also makes SSO capability available for Enterprise customers that wish to ensure greater and more centralised access control to their accounts.
7. Data Encryption.
a. The Polyloop Services support the latest secure cipher suites and protocols to encrypt all traffic in transit. Polyloop currently supports only TLS 1.2 and TLS 1.3 on its main website and all pages that accept credit card information, and supports TLS 1.2 and TLS 1.3 on all pages.
b. Customer Content is also encrypted at rest, where appropriate and having regard to the nature of the content and associated risks. Almost all of the information Polyloop processes is widely accessible from Social Networks or elsewhere, but all scheduled and approval-pending messages, for example, are encrypted at rest for additional protection.
c. Polyloop monitors the changing cryptographic landscape closely and makes commercially reasonable efforts to upgrade the Polyloop Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, Polyloop does this while also balancing the need for compatibility for older clients.
8. Logging and Intrusion Detection.
a. All systems used in the provision of the Polyloop Services, including firewalls, routers, network switches, and operating systems, log information to secure log servers in order to enable security reviews and analysis.
b. Polyloop maintains an extensive, centralised logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Polyloop Services. Logs are analysed for security events via automated monitoring software, overseen by Polyloop’s security team.
c. Polyloop monitors the Polyloop Services for unauthorised intrusions using network-based and host-based intrusion detection mechanisms and Web Application Firewalls.
9. Network Protection.
In addition to system monitoring and logging, Polyloop has implemented firewalls. Ports not utilised for delivery of the Polyloop Services are blocked by configuration with our data centre provider.
10. Host Management.
Polyloop performs automated vulnerability scans on its production hosts and uses commercially reasonable efforts to remediate any findings that present a material risk to the Polyloop environment. Polyloop enforces screen lockouts and the usage of full disk encryption for company laptops.
11. Availability.
Polyloop’s infrastructure runs on systems that are fault tolerant and it provides Enterprise customers with a guaranteed up-time, as set out in the Enterprise Service Level Agreement published at .
12. Disaster Recovery.
a. When your use of the Polyloop Services requires Polyloop’s systems to store Customer Content, such Customer Content is stored redundantly at multiple locations in Polyloop’s hosting provider’s data centres to ensure availability. Polyloop has backup and restoration procedures to allow recovery from a major disaster.
b. Customer Content and Polyloop’s source code is automatically backed up on a nightly basis. Polyloop’s operations team is alerted in the event of any failure with this system. Backups are fully tested at least every 90 days to confirm that these processes and tools work as expected.
13. Physical Security.
Polyloop currently uses Amazon Web Services (AWS) for its production data centres to provide the Polyloop Services. AWS was selected for its high standards of both physical and technological security, and has internationally recognised certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others. For more information about Amazon Web Services' certification and compliance, please visit the AWS Security website () and the AWS Compliance website ().
14. Security Policies and Procedures.
Polyloop implements and maintains security policies and procedures that align with the National Institute of Standards and Technology (NIST) cybersecurity framework. In particular, the Polyloop Services are operated in accordance with the following policies and procedures:
a. Customer passwords are stored using a one-way salted hash.
b. User access logs are maintained, containing date, time, user ID, URL executed or entity ID operated on, operation performed (created, updated, deleted), and source IP address.
c. Customer passwords are not logged.
d. Polyloop personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.
15. Product Design Security Practices.
New features, functionality, and design changes go through a review process facilitated by Polyloop’s security team. In addition, Polyloop’s code is tested and manually peer-reviewed prior to being deployed to production. Polyloop’s security team works closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development.
16. Incident Management & Response.
Polyloop maintains security incident management policies and procedures. Polyloop notifies impacted customers without undue delay of any unauthorised disclosure of their Customer Content by Polyloop or its agents of which Polyloop becomes aware, to the extent permitted by law.
LAST UPDATED: 03/01/2023
Polyloop maintains organisational and technical measures (“Security Practices”) to protect information you provide to us (“Customer Information”) from loss, misuse, and unauthorised access or disclosure. These measures take into account the sensitivity of the information Polyloop collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing Polyloop engages in.
Where used in this Security Practices document, “Polyloop Services” means the Self-Serve Services or Enterprise Services, as applicable and as defined in the terms applicable to your access to and use of the Polyloop Services (the “Agreement”). Capitalised terms not defined in this document have the meanings given to them in the Agreement.
The Security Practices include:
1. Assigned Security Responsibility.
Polyloop has a designated security official and security team responsible for overseeing the development, implementation, and maintenance of its Security Practices.
2. Personnel Practices.
All of Polyloop’s employees:
are bound by Polyloop policies regarding the confidential treatment of Customer Content
receive security and privacy training during onboarding and on an ongoing basis at least annually thereafter, and supervision at a level and substance that is appropriate to their position
are required to read and sign information security policies covering the confidentiality, integrity, availability and resilience of the systems and services Polyloop uses in the delivery of the Polyloop Services.
Polyloop maintains appropriate controls to restrict its employees’ access to the Customer Content that you and your Authorised Users make available via the Polyloop Services, and to prevent access to Customer Content by anyone who should not have access to it.
Polyloop conducts appropriate pre-employment screening commensurate with the sensitivity of a role, which may include criminal background checks for particularly sensitive positions, where permissible by law.
3. Compliance and Testing.
Polyloop’s security-related audits, certifications, and testing include:
a. Service Organisation Control (SOC) Reports: Polyloop undergoes a SOC 2 Type II and Type III audit annually which is performed by an independent third party auditor. A copy of Polyloop’s most recent report is available upon request for existing Enterprise customers or for prospective Enterprise customers who agree to hold the report in confidence under a Polyloop form of non-disclosure agreement.
b. PCI DSS: When payments are processed via credit card, Polyloop uses third-party vendors that are PCI DSS compliant. At no point does Polyloop store, transmit, or process your credit card information; Polyloop simply stores anonymous tokens that identify the applicable processed transactions.
c. FedRAMP Authorisation: Polyloop is authorised for use under the U.S. government’s Federal Risk and Authorisation Management Program (), a certification process that is audited against the NIST SP 800-53 standard.
d. Penetration Testing: Polyloop’s product platform (both web and mobile) is subjected to annual penetration testing performed by an independent third party.
4. Access Controls.
Polyloop has and will maintain appropriate access controls, including:
a. Policies and procedures that address onboarding, off-boarding, transition between roles, regular access reviews, limitations and usage control of administrator privileges, and inactivity timeouts;
b. Segregation of conflicting duties and areas of responsibility;
c. Maintaining current and accurate inventories of computer and user accounts;
d. Enforcing the principles of “least privilege” and “need to know”;
e. Reviewing user access rights on a regular basis to identify excessive privileges;
f. Enforcing a limit of login attempts and concurrent sessions; and
g. Password requirements that include a defined minimum complexity, password changes after the first login, and subsequent changes at predetermined intervals with limits on reuse.
5. Multi-Factor Authentication.
a. Access to the systems used by Polyloop employees and contract personnel is controlled by multi-factor authentication. This means that all Polyloop employees and contractors are required to provide proof of their identity, in addition to the provision of any password, in order to gain access to any system used in the provision of the Polyloop Services.
b. Polyloop also makes available multi-factor authentication capability for its Customers and their Authorised Users in respect of their use of the Polyloop Services (as a tool for their use in maintaining the security of their accounts).
6. Single Sign-On.
a. Polyloop has implemented single sign-on (SSO) company-wide to ensure greater and more centralised access control to the systems used by Polyloop employees and contract personnel.
b. Polyloop also makes SSO capability available for Enterprise customers that wish to ensure greater and more centralised access control to their accounts.
7. Data Encryption.
a. The Polyloop Services support the latest secure cipher suites and protocols to encrypt all traffic in transit. Polyloop currently supports only TLS 1.2 and TLS 1.3 on its main website and all pages that accept credit card information, and supports TLS 1.2 and TLS 1.3 on all pages.
b. Customer Content is also encrypted at rest, where appropriate and having regard to the nature of the content and associated risks. Almost all of the information Polyloop processes is widely accessible from Social Networks or elsewhere, but all scheduled and approval-pending messages, for example, are encrypted at rest for additional protection.
c. Polyloop monitors the changing cryptographic landscape closely and makes commercially reasonable efforts to upgrade the Polyloop Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, Polyloop does this while also balancing the need for compatibility for older clients.
8. Logging and Intrusion Detection.
a. All systems used in the provision of the Polyloop Services, including firewalls, routers, network switches, and operating systems, log information to secure log servers in order to enable security reviews and analysis.
b. Polyloop maintains an extensive, centralised logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Polyloop Services. Logs are analysed for security events via automated monitoring software, overseen by Polyloop’s security team.
c. Polyloop monitors the Polyloop Services for unauthorised intrusions using network-based and host-based intrusion detection mechanisms and Web Application Firewalls.
9. Network Protection.
In addition to system monitoring and logging, Polyloop has implemented firewalls. Ports not utilised for delivery of the Polyloop Services are blocked by configuration with our data centre provider.
10. Host Management.
Polyloop performs automated vulnerability scans on its production hosts and uses commercially reasonable efforts to remediate any findings that present a material risk to the Polyloop environment. Polyloop enforces screen lockouts and the usage of full disk encryption for company laptops.
11. Availability.
Polyloop’s infrastructure runs on systems that are fault tolerant and it provides Enterprise customers with a guaranteed up-time, as set out in the Enterprise Service Level Agreement published at .
12. Disaster Recovery.
a. When your use of the Polyloop Services requires Polyloop’s systems to store Customer Content, such Customer Content is stored redundantly at multiple locations in Polyloop’s hosting provider’s data centres to ensure availability. Polyloop has backup and restoration procedures to allow recovery from a major disaster.
b. Customer Content and Polyloop’s source code is automatically backed up on a nightly basis. Polyloop’s operations team is alerted in the event of any failure with this system. Backups are fully tested at least every 90 days to confirm that these processes and tools work as expected.
13. Physical Security.
Polyloop currently uses Amazon Web Services (AWS) for its production data centres to provide the Polyloop Services. AWS was selected for its high standards of both physical and technological security, and has internationally recognised certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others. For more information about Amazon Web Services' certification and compliance, please visit the AWS Security website () and the AWS Compliance website ().
14. Security Policies and Procedures.
Polyloop implements and maintains security policies and procedures that align with the National Institute of Standards and Technology (NIST) cybersecurity framework. In particular, the Polyloop Services are operated in accordance with the following policies and procedures:
a. Customer passwords are stored using a one-way salted hash.
b. User access logs are maintained, containing date, time, user ID, URL executed or entity ID operated on, operation performed (created, updated, deleted), and source IP address.
c. Customer passwords are not logged.
d. Polyloop personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.
15. Product Design Security Practices.
New features, functionality, and design changes go through a review process facilitated by Polyloop’s security team. In addition, Polyloop’s code is tested and manually peer-reviewed prior to being deployed to production. Polyloop’s security team works closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development.
16. Incident Management & Response.
Polyloop maintains security incident management policies and procedures. Polyloop notifies impacted customers without undue delay of any unauthorised disclosure of their Customer Content by Polyloop or its agents of which Polyloop becomes aware, to the extent permitted by law.
LAST UPDATED: 03/01/2023
Polyloop maintains organisational and technical measures (“Security Practices”) to protect information you provide to us (“Customer Information”) from loss, misuse, and unauthorised access or disclosure. These measures take into account the sensitivity of the information Polyloop collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing Polyloop engages in.
Where used in this Security Practices document, “Polyloop Services” means the Self-Serve Services or Enterprise Services, as applicable and as defined in the terms applicable to your access to and use of the Polyloop Services (the “Agreement”). Capitalised terms not defined in this document have the meanings given to them in the Agreement.
The Security Practices include:
1. Assigned Security Responsibility.
Polyloop has a designated security official and security team responsible for overseeing the development, implementation, and maintenance of its Security Practices.
2. Personnel Practices.
All of Polyloop’s employees:
are bound by Polyloop policies regarding the confidential treatment of Customer Content
receive security and privacy training during onboarding and on an ongoing basis at least annually thereafter, and supervision at a level and substance that is appropriate to their position
are required to read and sign information security policies covering the confidentiality, integrity, availability and resilience of the systems and services Polyloop uses in the delivery of the Polyloop Services.
Polyloop maintains appropriate controls to restrict its employees’ access to the Customer Content that you and your Authorised Users make available via the Polyloop Services, and to prevent access to Customer Content by anyone who should not have access to it.
Polyloop conducts appropriate pre-employment screening commensurate with the sensitivity of a role, which may include criminal background checks for particularly sensitive positions, where permissible by law.
3. Compliance and Testing.
Polyloop’s security-related audits, certifications, and testing include:
a. Service Organisation Control (SOC) Reports: Polyloop undergoes a SOC 2 Type II and Type III audit annually which is performed by an independent third party auditor. A copy of Polyloop’s most recent report is available upon request for existing Enterprise customers or for prospective Enterprise customers who agree to hold the report in confidence under a Polyloop form of non-disclosure agreement.
b. PCI DSS: When payments are processed via credit card, Polyloop uses third-party vendors that are PCI DSS compliant. At no point does Polyloop store, transmit, or process your credit card information; Polyloop simply stores anonymous tokens that identify the applicable processed transactions.
c. FedRAMP Authorisation: Polyloop is authorised for use under the U.S. government’s Federal Risk and Authorisation Management Program (), a certification process that is audited against the NIST SP 800-53 standard.
d. Penetration Testing: Polyloop’s product platform (both web and mobile) is subjected to annual penetration testing performed by an independent third party.
4. Access Controls.
Polyloop has and will maintain appropriate access controls, including:
a. Policies and procedures that address onboarding, off-boarding, transition between roles, regular access reviews, limitations and usage control of administrator privileges, and inactivity timeouts;
b. Segregation of conflicting duties and areas of responsibility;
c. Maintaining current and accurate inventories of computer and user accounts;
d. Enforcing the principles of “least privilege” and “need to know”;
e. Reviewing user access rights on a regular basis to identify excessive privileges;
f. Enforcing a limit of login attempts and concurrent sessions; and
g. Password requirements that include a defined minimum complexity, password changes after the first login, and subsequent changes at predetermined intervals with limits on reuse.
5. Multi-Factor Authentication.
a. Access to the systems used by Polyloop employees and contract personnel is controlled by multi-factor authentication. This means that all Polyloop employees and contractors are required to provide proof of their identity, in addition to the provision of any password, in order to gain access to any system used in the provision of the Polyloop Services.
b. Polyloop also makes available multi-factor authentication capability for its Customers and their Authorised Users in respect of their use of the Polyloop Services (as a tool for their use in maintaining the security of their accounts).
6. Single Sign-On.
a. Polyloop has implemented single sign-on (SSO) company-wide to ensure greater and more centralised access control to the systems used by Polyloop employees and contract personnel.
b. Polyloop also makes SSO capability available for Enterprise customers that wish to ensure greater and more centralised access control to their accounts.
7. Data Encryption.
a. The Polyloop Services support the latest secure cipher suites and protocols to encrypt all traffic in transit. Polyloop currently supports only TLS 1.2 and TLS 1.3 on its main website and all pages that accept credit card information, and supports TLS 1.2 and TLS 1.3 on all pages.
b. Customer Content is also encrypted at rest, where appropriate and having regard to the nature of the content and associated risks. Almost all of the information Polyloop processes is widely accessible from Social Networks or elsewhere, but all scheduled and approval-pending messages, for example, are encrypted at rest for additional protection.
c. Polyloop monitors the changing cryptographic landscape closely and makes commercially reasonable efforts to upgrade the Polyloop Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, Polyloop does this while also balancing the need for compatibility for older clients.
8. Logging and Intrusion Detection.
a. All systems used in the provision of the Polyloop Services, including firewalls, routers, network switches, and operating systems, log information to secure log servers in order to enable security reviews and analysis.
b. Polyloop maintains an extensive, centralised logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Polyloop Services. Logs are analysed for security events via automated monitoring software, overseen by Polyloop’s security team.
c. Polyloop monitors the Polyloop Services for unauthorised intrusions using network-based and host-based intrusion detection mechanisms and Web Application Firewalls.
9. Network Protection.
In addition to system monitoring and logging, Polyloop has implemented firewalls. Ports not utilised for delivery of the Polyloop Services are blocked by configuration with our data centre provider.
10. Host Management.
Polyloop performs automated vulnerability scans on its production hosts and uses commercially reasonable efforts to remediate any findings that present a material risk to the Polyloop environment. Polyloop enforces screen lockouts and the usage of full disk encryption for company laptops.
11. Availability.
Polyloop’s infrastructure runs on systems that are fault tolerant and it provides Enterprise customers with a guaranteed up-time, as set out in the Enterprise Service Level Agreement published at .
12. Disaster Recovery.
a. When your use of the Polyloop Services requires Polyloop’s systems to store Customer Content, such Customer Content is stored redundantly at multiple locations in Polyloop’s hosting provider’s data centres to ensure availability. Polyloop has backup and restoration procedures to allow recovery from a major disaster.
b. Customer Content and Polyloop’s source code is automatically backed up on a nightly basis. Polyloop’s operations team is alerted in the event of any failure with this system. Backups are fully tested at least every 90 days to confirm that these processes and tools work as expected.
13. Physical Security.
Polyloop currently uses Amazon Web Services (AWS) for its production data centres to provide the Polyloop Services. AWS was selected for its high standards of both physical and technological security, and has internationally recognised certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others. For more information about Amazon Web Services' certification and compliance, please visit the AWS Security website () and the AWS Compliance website ().
14. Security Policies and Procedures.
Polyloop implements and maintains security policies and procedures that align with the National Institute of Standards and Technology (NIST) cybersecurity framework. In particular, the Polyloop Services are operated in accordance with the following policies and procedures:
a. Customer passwords are stored using a one-way salted hash.
b. User access logs are maintained, containing date, time, user ID, URL executed or entity ID operated on, operation performed (created, updated, deleted), and source IP address.
c. Customer passwords are not logged.
d. Polyloop personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.
15. Product Design Security Practices.
New features, functionality, and design changes go through a review process facilitated by Polyloop’s security team. In addition, Polyloop’s code is tested and manually peer-reviewed prior to being deployed to production. Polyloop’s security team works closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development.
16. Incident Management & Response.
Polyloop maintains security incident management policies and procedures. Polyloop notifies impacted customers without undue delay of any unauthorised disclosure of their Customer Content by Polyloop or its agents of which Polyloop becomes aware, to the extent permitted by law.
© Policy Platforms Ltd. 2023