Security

This is a Security Policy between ("OneDay Web Services LTD", "OneDay Cloud", “OneDay”, “We”, “Us”, “Our”) and ("User", “You”,” Your”) who uses 1daycloud.com website or any other platform apps like Mobile, Windows or IOS, and any of its products or services (collectively, "Website", “Apps” or "Services").

Security Governance

We have a documented set of policies and procedures that defines our approach to security as an organization.

These policies and procedures are shared with all staff and reviewed and updated frequently to ensure our approach to security remains current.

Third Party Security

We carefully review the security practices of third parties we engage – initially and on an ongoing basis to ensure their practices meet industry standards and are compliant with our own privacy and security policies and procedures.

If a third party requires access to our systems, we ensure that access is limited specifically to the purpose for which they have been engaged.

As Amazon Web Services (AWS) is one of our primary providers, we engage with them using the Shared Responsibility Model for security and compliance, ensuring there is a clear definition of who assumes responsibility for what when it comes to security.

AWS is accredited by and compliant with a large number of the latest industry standards – more information can be found here: https://aws.amazon.com/artifact.

For the processing of financial and credit card data, We use several partners whose security practices are compliant with the Payment Card Industry Data Security Standard (PCI-DSS).

Network Security

For our cloud-based platforms, we primarily use Amazon Web Services (AWS) who provide a multi-layered strategy to defend from external attacks.

At an infrastructure level, AWS employs strategies such as network device access control, data segregation using firewalls and virtual private clouds to filter out malicious traffic and make use of extensive logging and monitoring to prevent network-based attacks.

At an application level, we take advantage of AWS Web Application Firewall and AWS Shield to prevent web-based and denial of service (DoS) attacks against our products.

Logging & Monitoring

We make use of a centralized logging system which includes application access audit events.

These logs are retained frequently.

We also use Amazon ELB logs to track service access requests (successful or not). Logs stored in AWS are not able to be modified and access is restricted to those who require it for their role requirements. 

We recognize the importance of reviewing logs regularly to identify malicious user activity and identify potential vulnerabilities with our products; we have automated monitoring in place that alerts us to specific types of potentially malicious events within our global infrastructure.

Patching and Vulnerability Management

Patching of our IT environment is one of the most fundamentally important measures we take to stay secure against a potential security breach.

Protecting Customer Data

We take the security of our customer’s data extremely seriously. We take a number of steps to ensure customer data is carefully protected.

Restricting Access to Data

We take a number of measures to help protect customer data from inappropriate access or use by unauthorized persons (either external or internal). Customer data is only stored in our production environment, and access to that data by Our employees is limited only to the employees who require access to perform their standard duties. Access to customer data is managed using access control and authentication tools (including the use of two-factor authentication) provided by Amazon Web Services and our other cloud partners.

Customer data is only used for purposes that are compatible with providing the contracted services, such as troubleshooting technical support requests. For full details please refer to the Our Privacy Policy

In the rare case that Our support employees need to access the full body of a specific customer’s data then We will always require consent from a customer before accessing this data.

We do not store or cache customer financial data used in conjunction with billing through Our platform, and our employees do not have direct access to billing data.

Physical Access to Customer Data

All customer data is hosted on infrastructure provided by Amazon Web Services which maintains physical security of their sites using industry best practice controls as outlined in their security and compliance website found here: https://aws.amazon.com/architecture/security-identity-compliance.

No customer data is stored at our physical office locations.

Encryption of Data

We have mechanisms in place to ensure that our customers’ data is protected both at rest and when in transit. data is stored securely and subject to the security policies and procedures of AWS.

To protect data in transit, We use Transport Layer Security (TLS) and enforces a minimum standard of TLS v1.2 using 128-bit cipher keys.

We support connections with up to 256-bit cipher keys for use with an Advanced Encryption Standard (AES) cipher.

Backups of Data

Our customers’ data is backed up at regular intervals to disparate data storage solutions provided by Amazon Web Services. Backups are replicated to multiple AWS facilities.

Access to data backups is restricted to only specific employees where that access is required as part of their role requirements.

Deletion and Disposal of Data

Our customer data is principally stored in, and subject to our deletion and disposal procedures.

These procedures include a secure process to logically wipe retired media.

Wiped media is then inspected to ensure the successful destruction of data.

Any of Our owned hardware that contains confidential data – including Our backups – are subject to industry standard logical data destruction before recycling.

Securing our Products

We recognize that for the bulk of customers, their principal experience with Us will be through our flagship products.

Security forms an important part of the way this product is developed, and operates, as discussed below.

Secure Software Development Practices

As part of our product development process, every code and infrastructure change is reviewed prior to the release of the change into production. This review includes observance of security best practices.

We also segregate our development, test and production environments.

Change Control

All changes to Our products are actively tested during their development to ensure the impact to end-users is evaluated prior to deployment, and any significant changes are included in the production release notes.

We employ change tracking and version control systems to actively monitor and manage changes to the code base or configuration of our products.

Vulnerability Identification & Patch Management

We work hard to minimize the number of vulnerabilities that arise in our products, and we recognize that it is important to take proactive steps to make sure we address any vulnerabilities as quickly as possible.

To that end, We actively test and monitors for vulnerabilities in our applications.

Where a vulnerability is identified (internally or externally) the issue is tracked and prioritized according to the potential severity of impact to our customers.

For critical severity issues, this can include round-the-clock work by our developers until the issue is remediated.

Patches for issues are developed and released into the production environment through a continuous integration process (CI/CD) and applied as soon as possible.

Handling Security Incidents

While we do our utmost to prevent any security incidents, we recognize that we also need to be prepared to handle these incidents should they arise to minimize the potential impact on our customers and our products.

We have a range of measures in place including:

  • A documented Incident Management Procedure that defines our process for handling the confidentiality, integrity and availability of our IT environment and applications.
  • Disaster recovery plans and contingency strategies can be executed to help us maintain the continuity of operations during an incident. This includes the use of multiple geographical availability zones via Amazon Web Services and the replication of data across multiple systems in each zone. This ensures continued data access during incidents affecting system availability and provides data redundancy in the case of system or data storage failures.

We promptly alert affected clients of major incidents impacting the availability of Our services or data and of any incidents affecting the confidentiality and integrity of user data as per our Privacy Policy.

Contact Us

We consider Cybersecurity a fundamental part of our business, and of the products we provide to businesses around the world. While the controls and measures we have in place extend significantly beyond what is covered here, this content serves to provide an overall understanding of the multi-faceted approach we take, and our commitment, to security.

If you have any questions about the contents or require more information about our approach to supporting, security or privacy please contact us at the details below:

info@1daycloud.com


This document was last updated on July 7, 2021

Contact us

info@1daycloud.com


www.1daycloud.com


Tysons Corner, Virginia, United States


Links

OneDay Cloud Copy Rights Reserved 2021