Application, Database, and Development servers are hosted offsite at Microsoft Azure data centers. Physical access to servers is restricted, and the data center is monitored by Microsoft security staff 24/7/365. More information on Microsoft’s security policy can be found at http://azure.microsoft.com/en-us/support/trust-center/security/.
Sure Shot on site security consists of coded locks to building, keyed locks per developer room, external video monitoring, and internal video monitoring.
Access to Application and Database servers are restricted to approved Sure Shot administrative technical staff. Remote access to Azure servers are restricted by IP address, so administrators may only access servers at approved Sure Shot locations. Server logins are recorded and saved for a period of not less than one year.
Access to Development servers are only accessible through the Sure Shot Development VPN. Development VPN access is restricted to approved Sure Shot development staff. The Development VPN does not function as a means to access Production Application or Database servers.
Due to the nature of the Sure Shot platforms, only login credentials, API credentials, and service configurations are stored on production Database servers. It is unnecessary for Sure Shot to store individual service data as it is passed directly from each Provider into the specified marking platform (i.e. Eloqua). Login data and API credentials are secured with AES-256, and are not decrypted for any user once input into the system. Only applications contain the privileges to decrypt the credentials at runtime. Data in transit is always encrypted with SSL via TLS.
Any data that is stored in logs is masked from contact or company info. No login data or API credentials are stored in server logs, and if emails or contact info is logged then the field will be masked out with asterisks (***). Logs are stored for a period of no less than six months.
Critical application vulnerabilities are hotfixed to production as soon as possible once discovered. Critical server vulnerabilities are patched as soon as server updates become available. Regular server patches/updates are applied at a minimum of once per month.
Third party system scans are to occur no less frequently than once per quarter. Vulnerabilities that are discovered on Sure Shot systems are to be corrected as soon as possible.