Data security policy
How we keep your data secure at Magnet
At Magnet Co, LLC, we understand the importance of data security. We are committed to ensuring the safety and confidentiality of sensitive data that we handle every day. Our customers trust us with their personal and financial information, and it is our priority to ensure that we maintain that trust.
The following policy outlines the data security measures implemented by our organization to protect the data of our clients, particularly Confidential Information and Personal Data. This policy applies to all our employees, contractors, suppliers, and any other third parties who may handle or have access to the data owned by our clients.
2. Security Controls
2.1 Firewalls and Intrusion Detection/Prevention Systems
Our networks are fortified by robust security controls designed to detect and prevent cyber attacks. These controls include the use of network layer firewalls and intrusion detection/prevention systems (IDS/IPS), which are set up in a risk-based manner. We place these controls strategically between the internet and our Demilitarized Zone (DMZ), and between the DMZ and internal servers that contain Client's Confidential Information. This approach is aligned with best practice guidelines for network security from the National Institute of Standards and Technology (NIST) NIST SP 800-41.
2.2 Access Controls
To prevent unauthorized access to Client's Confidential Information, we employ physical and logical access controls. These controls are even more stringent in shared environments, ensuring that only authorized individuals can access sensitive data. This policy aligns with industry-standard practices as set out in ISO/IEC 27001 ISO/IEC 27001.
3. Offshore Data Access Prohibition
We adhere strictly to the geographical restrictions set by our clients. Without explicit written consent from our clients, we do not export, transmit, store, any data provided to us under the terms of the Agreement to any country outside of the United States. We solely utilize data centers within the United States of America to host our services. This aligns with various compliance regulations, including the US-EU Privacy Shield Framework and the General Data Protection Regulation (GDPR) GDPR Article 44.
4. Destruction and Return of Client’s Confidential Information
4.1 Secure Destruction
We maintain strict procedures for the disposal or reuse of equipment used for storing Client's Confidential Information. These procedures ensure the secure destruction of such information, in line with NIST Standard 800-88 Revision 1, Appendix A (Guidelines for Media Sanitization) NIST 800-88. Our methods include degaussing, shredding, disintegrating, or pulverizing for physical media and sanitizing software or applications for electronic media.
4.2 Return of Confidential Information
We guarantee that all of the Client’s Confidential Information, including data shared with suppliers, is stored and maintained in a manner that facilitates its return or secure destruction upon the client's request. Our processes adhere to ISO/IEC 27001 guidelines on secure data disposal and return ISO/IEC 27001.
5. Use and Privacy of Personal Data
5.1 Use of Personal Data
In line with regulatory requirements, we commit to using, retaining, or disclosing Personal Data only for the purpose of providing the Services and Deliverables. We strictly prohibit the sale of Personal Data, and we act solely on the instructions of the Client in respect of all Personal Data, unless prohibited by applicable law. These practices comply with key principles of data protection regulations like the GDPR GDPR Article 5.
5.2 Profiling Tools
We commit to not utilizing profiling tools such as cookies, beacons, pixel tags, mobile ad identifiers, or similar technology without first giving each individual user the ability to opt out. This is in accordance with the California Consumer Privacy Act (CCPA) requirements on "Do Not Sell My Personal Information" CCPA Section 1798.120.
6. Remote Access and Authentication
6.1 Remote Access
We maintain a stringent remote access policy, which includes encryption of data flow, use of multi-factor authentication during login, and limiting remote connection settings to prevent access to both initiating and remote networks simultaneously (no split tunneling). These measures align with the NIST recommendations for secure remote access NIST 800-46.
6.2 Authentication and Authorization
We maintain a detailed and documented authentication and authorization policy that governs all systems processing Client’s Confidential Information. The policy encompasses password provisioning requirements, password complexity, lockout thresholds, inactivity thresholds, prohibition of shared accounts, and encryption of credentials. This approach aligns with best practice guidelines for authentication and access control from NIST NIST SP 800-63.
7. Detection, Prevention, and Vulnerability Management
7.1 Unauthorized Access and Harmful Code
We utilize controls to prevent and detect unauthorized access, intrusions, computer viruses, and other forms of malware on our information systems. These controls include regularly updated antivirus programs, firewall isolation of all environments, hardening and configuration requirements that meet industry standards such as SANS Institute, NIST, and the Center for Internet Security (CIS).
7.2 Vulnerability Management
To minimize the potential of vulnerabilities being exploited, we implement a comprehensive vulnerability management program. This includes periodic network vulnerability scans and remediation of identified vulnerabilities within a defined timeframe, annual vulnerability assessments, annual third-party network penetration tests, and if relevant, an annual web application security assessment (WASA). These measures are based on guidelines provided by the NIST NIST SP 800-53.
8. Security Incident Management
8.1 Incident Response Plan
We maintain a comprehensive incident response plan. This plan includes processes for responding to cybersecurity events, goals for the response plan, roles and responsibilities, internal and external communication plans, requirements for remediation, documentation and reporting related to incident response activities, and post-incident evaluation and policy revision activities. This aligns with best practice guidelines from NIST NIST SP 800-61.
8.2 Incident Notification
We define a Security Incident as any suspected or actual unlawful or unauthorized access to, acquisition of, disclosure of, or use of Client’s Confidential Information. In the event of a Security Incident, we will promptly inform the client in writing, no later than twenty-four (24) hours from the time we become aware of the incident, in accordance with state breach notification laws such as California Civil Code Section 1798.82 CCPA Section 1798.82.
9. Change Management and Training
9.1 Change Management
We maintain a robust change management process to ensure that changes to our systems, applications, and networks do not introduce new vulnerabilities or affect the security of Client's Confidential Information. This is in line with industry best practices such as those provided by ITIL ITIL Change Management.
9.2 Security Awareness and Training
We conduct regular information security training sessions, covering topics like identification and reporting of suspected security weaknesses and incidents. Our employees and contractors are made aware of their responsibilities towards the protection of Client's Confidential Information. This is in accordance with NIST guidelines for security awareness and training NIST SP 800-50.
10.1 Self-Audits and Risk Assessments
We regularly monitor the effectiveness of our security program by conducting self-audits and risk assessments at a minimum of every 12 months, as suggested by best practice frameworks such as ISO 27001 ISO/IEC 27001.
10.2 Regulatory Compliance
We are committed to meeting all relevant regulations and standards, such as the GDPR, CCPA, and various industry-specific regulations like HIPAA for healthcare and PCI-DSS for card payment data. We review our policies and procedures periodically to ensure they remain in line with these evolving regulations.
This comprehensive Data Security Policy is not exhaustive and is regularly reviewed and updated to ensure our continued commitment to maintaining the highest level of data security and compliance.
10.3 SOC2 Compliance
We take SOC2 compliance seriously. Although Magnet Co, LLC does not explicitly comply with SOC2 standards, all the tools and services we use to hold our data are SOC2 compliant. We have carefully selected these tools and services to ensure that they meet our strict data security standards.