This technology and business continuity statement serves as notice to our customers, vendors, and partners of our practices and standards.
Servers are co-located in a cloud based architecture with Google Cloud and Amazon Web Services (AWS). Google Cloud data centers are hosted in Iowa (US). AWS data centers are Virginia (US).
Google Cloud servers host our redundant application and data servers in active-active configuration and all data is also replicated to AWS servers continuously. This provides a platform level redundancy in addition to the redundancy obtained with multiple servers within single platform. In case we need to switch from primary platform (Google Cloud) to the secondary platform (AWS), this architecture helps us for an easy and fast switch.
Hosting at these major cloud platforms also provides us some extra benefits in means of implementation of security best practices in areas like hardware lifecycle management, physical security and network infrastructure. Our servers are constantly updated and patched.
Backup Policy / Business Continuity
We continuously replicate (backup in real time) data between multiple servers hosted by our primary service provider Google Cloud. Additionally, data is also replicated to AWS (our secondary platform) in real time. RTO and RPO vary per criticality of system. Our servers are managed by a High Availability policy and they are redundant within Google Cloud. They are also replicated in second cloud platform (AWS) which makes switching to a secondary platform possible with little to no material business impact.
Data which is required to be retained in accordance with statutes and regulations is retained according to those requirements.
We have an outside routing layer provided by CloudFlare that provides basic filtering to handle and manage any potential DDoS (denial of service) attacks. Security scans are performed regularly. Our servers are configured to allow only the absolute minimum level of access needed to maintain them.
All unnecessary users, protocols, and ports are disabled and monitored. Our employees and vendors are able to access the servers only through a Virtual Private Network using a 2048-bit encrypted connection with private keys.
Account Security and Privacy
All account information is automatically encrypted when transferred. By default, we and our vendors and partners utilize the TLSv1.2 connection standard on top of SHA256/RSA encryption for HTTPS. For encryption of form submissions, we and our vendors and partners use 2048 Bit RSA Keys.
256 Bit SSL
Forms are served across protected 256 bit SSL (Secure Socket Layer) connection that uses a SHA256 Certificate. This is the same level of protection used by online banking or e-commerce providers.
Encryption and PCI Compliance
Submission data is transferred and stored in a secure format and no one else can read it. Submissions are encrypted with high-grade RSA 2048 right at user's computer then transferred and stored securely. By default, we and our vendors and partners utilize the TLSv1.2 connection standard on top of SHA256/RSA encryption for HTTPS. For encryption of form submissions, we and our vendors and partners use 2048 Bit RSA Keys. The forms are also PCI DSS Service Provider Level I Compliant.
Files are stored on secure servers and further protected under a randomized hexadecimal naming and storage strategy and also further secured by 256 Bit SSL.
For further information, see our Privacy and Security Statement.
Our vendors perform PCI scans to detect any kind of vulnerability of the publicly available interfaces regularly. In addition to these PCI scans, Pen-tests are performed periodically by the vendors.
Data Center Security
Our primary platform is Google Cloud and it complies with: SSAE16 / ISAE 3402 Type II, SOC1, SOC2, SOC3, ISO 27001, ISO 27017 (Cloud Security), ISO 27018 (Cloud Privacy), PCI DSS v3.2 and HIPAA. You can find more information about Google Cloud compliance from https://cloud.google.com/security/compliance.
Our secondary Platform is Amazon Web Services(AWS) and it complies with SOC1, SOC2, SOC3, ISO 27001, ISO 27017 (Cloud Security), ISO 27018 (Cloud Privacy), PCI DSS Level 1 and HIPAA. You can find more information about AWS compliance from https://aws.amazon.com/compliance/.
Due diligence on employees and contractors
All employees and contractors must pass a rigorous screening process at the time of hiring or engagement. Additionally, all employees and contractors must sign and are bound by a non-disclosure agreement (NDA).
Changes to this Statement
We may update our Business Continuity Statement from time to time. Thus, we advise you to review this page periodically for any changes. We will notify you of any changes by posting the new Statement on this page. These changes are effective immediately, after they are posted on this page.
The statements above include information provided by our vendors, customers and partners, all of whom are third parties. CDLA is not responsible for the security practices, nor privacy practices, nor business continuity practices of third parties. Reporting on tests or audits regarding security, continuity, certifications and other such matters is the sole responsibility of the applicable third party. We specifically disclaim any warrant or representation made by any of our vendors, customers, partners and third parties, whether included above or otherwise.
This website and our services may contain links to other sites and data centers or services and infrastructure provisioned from third parties or provided by third parties. Examples of these third parties may include, but are not restricted to, originators, servicers, training facilities, lenders, credit bureaus, service bureaus, and employers. If you click on a third-party link, you will be directed to that site. Note that these external sites and data centers are not operated by us and are not necessarily contracted by us. We are not responsible for the business continuity, security, privacy or backup practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of any other site that collects information on you and that you access. We have no control over, and assume no responsibility for the content, privacy policies, security policies, business continuity practices, employment practices and backup policies of any third-party sites or services.
If you have any questions or suggestions about our technology or business continuity statement, do not hesitate to contact us.