Security and Compliance

Compliance

GDPR

ScanX is committed to complying with General Data Protection and Regulation (GDPR). We have dedicated ourselves to building our systems to comply with the GDPR. The European Union’s General Data Protection Regulation (GDPR) protects European Union (EU) individuals’ fundamental right to privacy and the protection of personal data. The GDPR includes robust requirements that raise and harmonize standards for data protection, security, and compliance. Please review the GDPR FAQs below here at https://aws.amazon.com/compliance/gdpr-center/

PCI/DSS

ScanX’s payment system and credit card information are processed using Stripe. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, they use the best-in-class security tools and practices to maintain a high level of security. All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. Internal servers and daemons can obtain plaintext card numbers but can request that cards are sent to a service provider on a static allow list. The infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment and doesn’t share any credentials.

• We also enforce the use of HTTPS for all services using TLS (SSL), including our public website and the Dashboard.
• ScanX is served only by TLS
• ScanX is separated by subnets

Infrastructure

Data Encryption in Transit and At Rest

All data is sent securely to ScanX via the HTTPS protocol using the latest recommended ciphers and TLS protocol. All customer data is encrypted at rest on ScanX servers.

Physical Access

ScanX hosts its data on Amazon Web Services and Google Cloud. However, in cases where administrators need physical access to data, access rights shall be established, documented, and periodically reviewed based on business needs and external requirements.

Access controls should consider:

• Security requirements are given business needs, anticipated threats, and vulnerabilities. Relevant legislative and regulatory requirements.
• Contractual obligations and service level agreements.
• Consistency across ScanX systems and networks.

Access control considerations include:

• The use of clearly stated rules and rights based on user profiles.
• Consistent management of access rights across Information
• Resources using an appropriate mix of logical (technical) and physical access controls.
• Segregation of access control roles including access request by the appropriate department, access authorization by the Data Owner, and access administration by the Network Administrator.
• Requirements for the formal authorization and timely removal of access rights.

All critical Information Resources must limit and enforce access to only the times identified as necessary for the completion of ScanX business processes. All access to these systems and applications at all other times shall be disabled or suspended.

All access to any database containing Sensitive Information (including access by applications, administrators, and all other users) shall be restricted as follows:

• All user access to, user queries of, and user actions on databases are through programmatic methods.
• Only database administrators can directly access or query databases.
• Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).

Inactive sessions must be automatically terminated. The amount of time permitted before session termination must be aligned with the criticality of the information. Approved compensating controls, e.g., password-protected screensavers or terminal locks must be activated for information systems and applications that cannot automatically terminate sessions.

All critical information systems and applications must not allow users to have multiple concurrent sessions on the same system.

Auditing

Security audits help manage and reduce risks to ScanX Information Resources. A security auditor, an independent third party, evaluates systems for security best practices and compliance with an established set of security requirements.

The Information Security Officer shall consider the following when determining the audit scope:

• Vulnerabilities – establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. Note: Risk rankings should be based on industry best practices as well as consideration of potential impact.
• Evaluating – identify methods for evaluating vulnerabilities and assigning risk ratings based on an organization’s environment and risk assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process or transmit sensitive data.
• Automated tools – automated tools may be used to identify a variety of vulnerabilities including weak passwords, configuration issues, improper access controls, and patch management issues.
• Administrative safeguards – the auditor can review and evaluate policies, procedures, training plans, and other administrative security controls.
• Penetration testing – penetration testing may be used to identify system vulnerabilities.

Access to audit tools shall be controlled and restricted to prevent possible misuse or compromise of Information Resources and log data. Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimize disruptions to business processes.

Where possible, the Information Security Officer shall use Certified Information Systems Auditors to audit the security controls of ScanX Information Systems. Security audits shall be performed on an annual basis or more frequently if major changes occur to Information Resources.

Application Security

Login Security

Users are required to log in to ScanX systems to access their user accounts. Logging into ScanX systems requires the users to authenticate themselves. The authentication method used depends on the sensitivity of the information asset, the authorization level requested by the user (e.g. regular user, administrator. Authentication data and devices (e.g. passwords, authentication tokens) provided by ScanX are meant for the individual use of the user receiving them. Authentication data should not be given to any other party, nor should it be used in any way other than for the fulfillment of the user’s duties.

Logical access controls shall be established and documented for all ScanX Information Resources. The access controls shall be implemented based upon the principle of least privilege. All third-party service providers’ access to the ScanX network and information systems must adhere to the same access restrictions as internal users.

Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. In addition, physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.

Shared user IDs shall not be existing for system administration and other critical functions. Shared and generic user IDs are not to be used to administer Information Systems and components.

Authentication procedures verify a person or entity seeking access to sensitive information is the one claimed. Policies specify the types of approved authentication mechanisms that are reasonable and appropriate and control the addition, deletion, and modification of user IDs, credentials, and other identifier objects.

Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.

Risk Management

Risk assessments identify ScanX data security and related threats and vulnerabilities. The accompanying risk analysis identifies the impact on our organization and provides recommendations for treating risks.

To properly secure and protect ScanX’s user’s data, a significant amount of design, planning, and implementation expertise is required to ensure that the proper level of controls is designed and implemented. While preparing and conducting a risk assessment, the following best practices or approaches should be considered.

The risk assessment shall identify assets, threats to the assets, vulnerabilities that exist as a result of the threats, and the likelihood of the event. Data and metadata shall describe how sensitive information is created, received, maintained, transmitted, and flows through the organization. Such documentation shall consider and identify:

• Less obvious sources of sensitive information including mobile devices.
• External sources including vendors, consultants, and other third-party service providers that create, receive, maintain, or transmit sensitive information.

For Cloud Computing environments, the risk assessment shall identify risks related to business continuity, capacities, and dependent services.

Corporate Security Risk Management Plan

The Risk Treatment Plan shall include a prioritized list of assets, related vulnerabilities, and preventive, detective, and corrective controls that manage risks. The prioritized list helps align the allocation of funds based upon the criticality of the asset and related risks.

To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be located away from locations subject to high probability environmental risks.

Redundant equipment shall be located a reasonable distance away from primary systems. For cloud computing services the risk analysis and risk treatment plan shall:

• Manage risk as defined in the master agreement or industry best practices and standards.
• Identify security measures in place to protect sensitive information.

Executive management shall be involved in risk management and mitigation decisions including how security processes are communicated throughout the organization. The risk assessment, risk analysis, and risk treatment plan shall be reviewed on an annual basis to ensure that controls are sufficient and effective at treating risks.

Information Security Policy

Information Technology resources are a growing and important asset of ScanX. They can provide a critical competitive advantage in the form of information gathering, improved external communications, and increased customer responsiveness. ScanX follows internal systems and procedures by an Information Security Committee. This policy describes ScanX management’s view of information security and its implementation in both corporate vision and day-to-day activities of the company offices worldwide and refers to all systems, networks, and data resources operated and managed by ScanX. The policy provides high-level guidelines for practicing information security.

ScanX management is committed to maintaining a high level of information security and intends to invest the required resources to enforce its policy in all aspects of the company’s activities.

The above-mentioned 62-page policy can be made available upon request for ScanX Enterprise customers:

• Information Security Policy
• Organization Roles and Responsibilities
• Auditing
• Asset Management
• Asset Management
• Risk Assessments
• Data and Privacy
• Access Management
• User Policies
• Non-disclosure Agreements
• Encryption Procedures
• Change Management
• Software Development
• Backup Procedures