Cloud Security Statement

Overview

Project Insight Cloud is the Software as a Service (SaaS) platform designed to host all cloud applications developed and/or managed by Project Insight. All cloud applications are located on servers in the Microsoft Azure Cloud, and/or on physical servers which are co-located in dedicated locked cages of our data center partners in the United States. Microsoft Azure Cloud server instances, and physical servers (located in our data center cages) are provisioned, monitored and managed by the Project Insight DevOps team. All servers which are not part of Microsoft Azure Cloud are owned or leased and physically managed and maintained by the Project Insight DevOps team.

Data

All Project Insight Cloud application data is stored on enterprise database servers like Microsoft SQL Server, and SQL Azure, which are separate from front end application and web application servers. Application files are stored on file servers separate from front end application and web application servers. All data and file storage servers utilize RAID configurations like RAID 10 and RAID 6. If the primary database or file servers are unavailable, redundant database and file servers are available as a backup. Azure file storage containers are configured with built-in redundancy.

Facilities

Access to Project Insight Cloud physical servers in our data center partner locations is limited to authorized Project Insight personnel. All physical access is verified by photo ID, access card, key code verification, and cage combination locks. Physical data center security measures include: on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures. Within the data center, all equipment is stored in locked cages designed to be Zone 4 Seismic Code earthquake-proof construction (where necessary), along with a dry-piped, double-interlocked, pre-action fire protection system.

Project Insight Cloud services which are located in Microsoft Azure Cloud are remotely accessed, with two-form authentication, by authorized Project Insight personnel only.

People and Access

The Project Insight Cloud platform systems level access is limited to authorized personnel within the Project Insight DevOps team for the specific purpose of maintaining and supporting the systems infrastructure. Project Insight Cloud platform systems access is limited to the DevOps team from within specific Project Insight internal networks, using two form authentication protocols.

The Project Insight Cloud Support team has limited access to customer application support tools (no direct system or data access) for the specific purpose of replying to customer support tickets.

All DevOps and Support personnel with access to Project Insight Cloud platform systems or customer application support tools are subject to annual screening, including background checks.

The Project Insight Cloud platform is monitored continuously 24x7. Information about system uptime is publicly available on the Project Insight DevOps system status page. (link: http://www.projectinsight.net/blogs/pi-dev-ops-system-status)

Application Servers

Project Insight Cloud platform front end application and web servers are backed by load balanced Windows 2012 Servers running the latest Microsoft .NET and Azure stack(s). All inbound and outbound customer network traffic is limited to 2048 bit SSL/HTTPS protocols. Front end web application and application servers have no customer data, the front end servers are kept separate from data and storage servers.

3rd Party Penetration & Application Vulnerability Scans

The Project Insight Cloud platform network and applications is are tested for vulnerabilities every week. The results of scans are forwarded to the Project Insight DevOps team for review and incorporation into future releases and patches.

Certification

To augment 3rd party application penetration testing we have performed, we have selected data center providers that maintain industry-standard certifications.

Our data centers are SOC-1 (formerly SAS 70) compliant. These certifications address physical security, system availability, network and IP backbone access, customer provisioning and problem management.

Microsoft Azure services utilized by Project Insight Cloud have achieved SSAE 16 reports for SOC 1, SOC 2, and SOC 3 types. See the Microsoft Trust Center for more information (link: https://www.microsoft.com/en-us/TrustCenter/Compliance/SOC)

Backups

Project Insight Cloud platform database data transaction logs are backed up hourly, with a full backup performed nightly. Project Insight Cloud file storage is protected with continuous backed software. All backups are encrypted and copied to globally redundant locations.

Privacy

We understand the importance of ensuring the privacy of your personally identifiable information. For more information, please see our Privacy Statement. (http://www.projectinsight.net/legal/privacy-policy)

NOTE: This Security Statement applies to the Project Insight Cloud platform applications. For more information about Project Insight Cloud platform, please contact us. (http://www.projectinsight.net/about-project-insight/contact)

Effective as of June 2, 2015.