Marketplace Data Security
Effective date: 2023-02-03
Briefly Stated
ArenaCX considers the protection and stewardship of customer data a top priority. We host our systems and data on AWS, which provides some of the best security infrastructure in the world. We have activated key systems that provide the necessary security to conduct our customer business with confidence.
Data Storage
All customer data is kept in AWS RDS Aurora databases, within Virtual Private Cloud, allowing us tight control over access. The databases and backups are encrypted, and data in transit is encrypted using SSL (AES-256). Access to the databases is controlled via role-based user privileges. Database geographic locations are determined by business need, customer dictates, and international compliance requirements. The underlying AWS framework provides for automated backups, replication, restarts and self-repair.
Files are stored in AWS S3 buckets, and are encrypted. S3 Object Lock and Ownership defaults prevent data loss and unauthorized access.
All logging of data and processes is via AWS CloudWatch, and data is encrypted both in transit and at rest. IAM permissions guard these logs against unauthorized access, and only the minimum data is captured to allow for instrumentation, process management, and analysis. Data that could conceivably contain sensitive material are not logged.
Personally Identifiable Information
ArenaCX captures a bare minimum of personal information of our customers, channel partners and outsourcing vendors. These include names, email addresses, phone numbers and company affiliations, and are captured only when volunteered in the normal conduct of business.
In special cases where ArenaCX processes customer business data, these are scrubbed on arrival of PII using AWS SageMaker’s machine learning-based redaction capabilities, as well as specialized redaction mechanisms to remove and idiosyncratic or industry-specific data types (e.g., ICCID numbers).
AWS Macie applies machine learning to continually scan S3 object contents for unwanted/unintended PII, and alerts our security team when such is found.
Infrastructure Security
Our backend is segregated into multiple accounts, managed as a unified AWS Organization. Role-based permissions are used to control access to these accounts and their systems.
AWS GuardDuty provides continuous threat detection, monitoring for (and alerting us to) malicious activity and unauthorized behavior, across all our accounts, EC2 workloads, RDS Aurora databases, and S3 files.
Application penetration tests are performed annually by an independent third-party.
AWS CloudTrail is enabled across all accounts to enable operational and risk auditing, governance, and compliance.
Access to systems is restricted to specific individuals who have a need-to-know such information and who are bound by confidentiality obligations. Access is monitored and audited for compliance via CloudTrail.
Staff security
The ArenaCX team are trained annually in data security, password best practices, and more–with periodic refresher training and surreptitious testing to ensure these skills are used in practice.
Team members maintain privileged/sensitive business information in a highly secure password safe, configured with role-based privileges to control access by responsibility.
Application security
All ArenaCX web systems are delivered over the Amplify framework, which leverages various AWS security technologies. Security advantages include:
-
Authentication is handled using AWS Cognito, to enforce complex passwords and to allow users to create and recover passwords without ArenaCX support or involvement.
-
All network communication is conducted over SSL/HTTPS
-
APIs supporting the site implement CORS and other defenses to block unauthorized access
ArenaCX reserves the right to change, modify and update this document from time to time as security measures are adapted and improved. The latest “Effective Date” at the top of this statement will be updated with each revision.