Security, Privacy and Architecture of iComply Investor Services Inc.
Published: June 8, 2018
iComply Investor Services Inc. Corporate Trust Commitment
iComply Investor Services Inc. (“iComply”) is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including data submitted by customers to our services (“Customer Data”).
This documentation describes the architecture of, the security- and privacy-related audits and certifications received for, and the administrative, technical and physical controls applicable to, the services branded under iComply as iComplyICO, iComplyID and iComplyKYC products (“Covered Services”).
Some of the elements described in this documentation, such as log retention, back-ups, disaster recovery, and return and deletion of data do not apply to the temporary developer testing environments branded as “Sandboxes”. This documentation apply to other iComply services that may be associated with or integrate with the iComplyICO, iComplyID and iComplyKYC products.
Architecture and Data Segregation
The Covered Services are operated in a multitenant architecture that is designed to segregate and restrict Customer Data access based on business needs. The architecture provides an effective, logical data separation for different customers via customer-specific “Organization IDs” and allows the use of customer and role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions, including testing and production.
iComply Investor Services Inc. services are hosted on the infrastructure of a public cloud provider (“Public Cloud Infrastructure”).
Control of Processing
iComply has implemented procedures designed to ensure that Customer Data is processed only as required based on customer interaction by iComply Investor Services Inc. and its sub-processors. In particular, iComply and its affiliates have entered into written agreements with their sub-processors containing privacy, data protection, and data security obligations that provide a level of protection appropriate to their processing activities. Compliance with such obligations as well as the technical and organizational data security measures implemented by iComply and its sub-processors are subject to regular audits.
Certain features of the Covered Services use functionality provided by third parties.
Audits and Certifications
The following security and privacy-related audits and certifications are applicable to the Covered Services. These services are either completed, in progress, or planned:
- EU-U.S. and Swiss-U.S. Privacy Shield certification: Customer Data submitted to the Covered Services is within the scope of an annual certification to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as administered by the U.S. Department of Commerce, as further described in our Privacy Shield Notice. The current certification is available at https://www.privacyshield.gov/list by searching under “Salesforce.”
- ISO 27001/27017/27018 certification: Salesforce operates an information security management system (ISMS) for the Covered Services in accordance with the ISO 27001 international standard and aligned to ISO 27017 and ISO 27018. Salesforce has achieved ISO 27001/27017/27018 certification for its ISMS from an independent third party. The Salesforce ISO 27001/27017/27018 Certificate and Statement of Applicability are available upon request from your organization’s Salesforce account executive.
- Service Organization Control (SOC) reports: Salesforce’s information security control environment applicable to the Covered Services undergoes an independent evaluation in the form of SOC 1 (SSAE 18 / ISAE 3402), SOC 2 and SOC 3 audits (except Salesforce CPQ and Salesforce Billing, which have undergone an evaluation in the form of a SOC 2 Type 1, and except for the services hosted on the Public Cloud Infrastructure). Salesforce’s most recent SOC 1 (SSAE 18 / ISAE 3402) and SOC 2 reports are available upon request from your organization’s Salesforce account executive.
Additionally, the Covered Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis.
The Covered Services include a variety of configurable security controls that allow customers to tailor the security of the Covered Services for their own use.
Security Policies and Procedures
The Covered Services are operated in accordance with the following policies and procedures to enhance security:
- Customer passwords are stored using a one-way salted hash.
- User access log entries contain date, time, user ID, URL executed or entity ID operated on, operation performed (created, updated, deleted) and source IP address when required. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP.
- If there is suspicion of inappropriate access, Salesforce can provide customers log entry records and/or analysis of such records to assist in forensic analysis when available. This service will be provided to customers on a time and materials basis.
- Data center physical access logs, system infrastructure logs, and application logs will be kept for a minimum of 90 days. Logs will be kept in a secure area to prevent tampering. This can be referenced here.
- Passwords are not logged.
iComply, or an authorized third party, will monitor the Covered Services for unauthorized intrusions using network-based and/or host-based intrusion detection mechanisms. iComply may analyze data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security and system performance purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Covered Services function properly.
All systems used in the provision of the Covered Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable security reviews and analysis.
iComply maintains security incident management policies and procedures. iComply notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by Salesforce or its agents of which iComply becomes aware to the extent permitted by law.
Access to Covered Services requires authentication via mechanisms such as user ID/password. Following successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.
Production data centers used to provide the Covered Services have access control systems that permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, utilize redundant electrical and telecommunications systems, employ environmental systems that monitor temperature, humidity and other environmental conditions, and contain strategically placed heat, smoke and fire detection and suppression systems. Specific security features of each data centre can be found here.
Reliability and Backup
All networking components, network accelerators, load balancers, web servers, and application servers are configured in a redundant configuration. All Customer Data submitted to the Covered Services is stored on a primary database server with multiple active clusters for higher availability. All Customer Data submitted to the Covered Services is stored in Tier 1 or Tier 2 data centers. All Customer Data submitted to the Covered Services, up to the last committed transaction, is automatically replicated on a near real-time basis to the secondary site and is backed up on a regular basis. Any backups are verified for integrity and stored in the same data centers as their instance.
Production data centers are designed to mitigate the risk of single points of failure and provide a resilient environment to support service continuity and performance. The Covered Services utilize secondary facilities that are geographically diverse from their primary data centers, along with required hardware, software, and Internet connectivity, in the event iComply production facilities at the primary data centers were to be rendered unavailable.
iComply has disaster recovery plans in place and tests them at least once per year.
The Covered Services’ disaster recovery plans currently have the following target recovery objectives: (a) restoration of the Covered Service (recovery time objective) within an appropriate time declaration of a disaster; and (b) maximum Customer Data loss (recovery point objective) of 4 hours. However, these targets exclude a disaster or multiple disasters causing the compromise of both data centers at the same time, and exclude development and test bed environments, such as the Sandbox service.
The Covered Services do not scan for viruses that could be included in attachments or other Customer Data uploaded into the Covered Services by a customer. Uploaded attachments, however, are not executed in the Covered Services and therefore will not damage or compromise the Covered Services by virtue of containing a virus.
The Covered Services use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer’s network and the Covered Services, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, all data, including Customer Data, is transmitted between data centers for replication purposes across a dedicated, encrypted link utilizing AES-256 encryption.
Deletion of Customer Data
After termination of all subscriptions associated with an environment, Customer Data submitted to the Covered Services is retained in inactive status within the Covered Services for 120 days, after which it is securely overwritten or deleted from production within 90 days, and from backups within 180 days.
Without limiting the ability for customers to request return of their Customer Data submitted to the Covered Services, iComply reserves the right to reduce the number of days it retains such data after contract termination. iComply will update this Salesforce Security, Privacy and Architecture Documentation in the event of such a change.
iComply may track and analyze the usage of the Covered Services for purposes of security and helping iComply improve both the Covered Services and the user experience in using the Covered Services. For example, we may use this information to understand and analyze trends or track which of our features are used most often to improve product functionality – during this research customer data will be fully pseudonymized.
iComply may share anonymous usage data with iComply service providers for the purpose of helping Salesforce in such tracking, analysis and improvements. Additionally, iComply may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our services.
Interoperation with Other Services
The Covered Services may interoperate or integrate with other services provided by iComply or third parties.