Information Security Policy
The purpose of this Information Security Policy is to set forth Loadster's approach to operational security. The primary goals are to:
- Detect and preempt information security breaches, such as misuse of networks, data, applications, and computer systems.
- Maintain Loadster's high reputation and uphold ethical and legal responsibilities to our customers and shareholders.
- Respect the rights of our customers by reacting properly to inquiries and possible complaints of non-compliance.
All Loadster employees and contractors must abide by this policy. Furthermore, we make it public for review by our customers and partners.
Objectives
Information security is focused on three main objectives:
- Confidentiality. Only individuals authorized by the company can and should access data and information. In general, the authorized individuals should be as few as possible to maintain operations.
- Integrity. Data must be kept intact, accurate, and complete, and systems must be kept operational at all times, and degrade gracefully when there is a degradation, to minimize the risk of data corruption or loss.
- Availability. Customers should be able to access Loadster's systems and their data stored therein whenever they need to. If downtime occurs, it must be mitigated as quickly as possible.
Authority & Access Control
As Loadster is a small company, only executives and key employees are generally allowed access to the production database and backend services. Independent contractors, including overseas contractors, may be allowed access to development and staging environments.
Data Classification
Loadster is a testing tool, so most of the data our customers store on our systems is test data. Nonetheless, we take our responsibility to safeguard this data seriously. All data in the production environment is considered production data from our point of view, even if it is test data from the customer's point of view.
Highly sensitive information like credit card numbers is not stored on our servers and never passes through our servers; rather, it is transmitted securely to a 3rd party processor and stored there.
Data Support & Operations
Data Protection
Systems that store production data are stored by our cloud provider in a virtual private cloud. The virtual private cloud is protected by a firewall that exposes only the ports required to service our customers. The production database uses encryption to store the data at rest.
Data Backup
The full production database is replicated to a hot standby database, so that if the primary database fails, we can switch over to this standby database with little to no data loss or downtime. Additionally, production data is backed up with daily snapshots, so that in the event of catastrophic data loss, it can be restored with less than 24 hours of data loss.
Movement of Data
All data is transmitted to and between Loadster's systems using industry standard TLS encryption. Access to systems by Loadster's employees and contractors, when authorized, is done through key-based SSH.
Security Awareness & Behavior
Automated processes and systems are only part of the answer to ensuring information security. The rest is up to humans. Watch out for social engineering tricks! This can include phishing emails, phone calls, or other communications where the attacker pretends to have a legitimate need to access Loadster's systems or data. Before giving access to any data, be sure you know who you are talking to and they have a legitimate and authorized need to access it. Take steps to prevent unauthorized access to your own laptop and other devices. If you have data or credentials on your device that you no longer need or are no longer authorized to have, delete them promptly.
Responsibilities, Rights, and Duties
All Loadster employees and contractors share a responsibility for keeping data and code safe and secure, while maintaining operational availability. When conducting or participating in code reviews, pay special attention to noticing any potential security vulnerabilities. If a customer or 3rd party brings a security concern to your attention, do not ignore it! Any and all security concerns must be acknowledged and resolved in a prompt and thorough manner. If a security breach occurs and customer data is compromised, Loadster will notify our customers within 24 hours of confirmation, or within 72 hours if a breach is suspected but could not be confirmed.