Information and Data Security Statement
This statement exclusively covers CrowdFlower’s policies and practices regarding information and data security. It does not recapitulate the law, nor does it attempt to define good conduct outside of the security context.
CrowdFlower is a software-as-a-service (Saas) business. The company has a dedicated operations team that is responsible for ensuring the safe operation of CrowdFlower’s website(s). Members of this team are carefully vetted for reliability and responsibility, and are trained to be knowledgeable and aware of sensitive information.
Production Passwords and Credentials
All passwords and credentials that enable access to CrowdFlower’s production system are stored in secure systems that are only accessible to authorized staff.
Only authorized staff has direct access to production machines. Development staff members have limited access to production services for debugging purposes, and only select authorized individuals have access to CrowdFlower’s data stores for analytics purposes (see Data Security, below).
CrowdFlower uses automated configuration management to ensure that all changes are applied in a deliberate manner. Every change to production, except in cases of emergency, go through the following stages:
- The change is implemented and tested in a sandbox environment;
- The change is committed to configuration management and applied to the testing environment;
- The change is reviewed by one or more authorized staff members, and the testing environment is vetted to ensure that the change is effective;
- The change is applied to the production environment;
- Changes with operational impact are only applied during pre-announced maintenance windows.
General Security Practices
- All access to production systems is via channels secured by virtual private network (VPN) or secure shell (ssh).
- No node or service is allowed to communicate with other services without credentials.
- Only services intended for general consumption are publicly available.
- All systems log to a central repository for analysis and change tracking.
- Continuous backups of data are made and stored in redundant locations.
- Only authorized personnel may access or restore any data from the backup data sets.
- Configuration of systems and services is performed automatically by programs vetted for security deficits.
- CrowdFlower continuously monitors and responds to active and emerging security threats, especially the Open Web Applications Security Project (OWASP) top 10 and Community Emergency Response Teams (CERT) advisories.
- Security updates are applied within seven (7) days in non-emergency cases or more rapidly in the case of an urgent threat.
Securing data in CrowdFlower’s platform includes securing relational databases, online caches, and backups.
- All live data storage systems are separate from other services, can only be accessed via randomly generated credentials managed by authorized personnel, and are rotated quarterly.
- All systems with live data storage restrict direct access to authorized personnel.
- Backups use at-rest encryption and only the nodes performing backups and authorized personnel have access to credentials.
A select group of CrowdFlower staff have limited, read-only access to real-time data for analytics purposes. The need for this access is reviewed on a quarterly basis.
Only data that does not contain any personally identifiable information (PII) may be sent to third-party services for business intelligence analysis Platform Security
CrowdFlower’s platform also contains a number of security measures to ensure the secure performance of its services.
- SSL everywhere. All access to the platform happens through secure HTTPS connections with certificates that have been updated since the “Heartbleed” vulnerability.
- Access control lists define the behavior of any user of the platform, and limit them to authorized behaviors.
- Extensive anti-fraud processes run continuously to detect malicious or harmful use of the platform. These processes are under continuous refinement by our dedicated data science team.
- Tasks have unpredictable identifiers (UUID4) that prevent any individual contributor from predicting other task identifiers.
- Contributors work on a subset of data. Tasks are delivered to contributors in a manner that does not enable them to guess or know the full set of data being worked on. Customers may limit the work performed by any contributor to further constrain the amount of information shared.
- All work activity is extensively logged to enable tracing any security issues.
Secrets, Passwords, and Credentials
Keeping passwords and credentials secure for services used by CrowdFlower is essential. CrowdFlower uses a centralized, secure method for storing and disseminating passwords. Every CrowdFlower employee and consultant is required to use this system for storing secure information.
CrowdFlower requires the use of randomly generated passwords at least 20 characters long for all services. In rare instances, passwords may be shorter if the service provider does not allow 20 characters.
When services require access by multiple users, but do not offer multiple sign-in, credentials may be securely shared via our centralized system to enable team access. Sharing credentials by other means is not permitted.
Other secure information, like credit card information or secure tokens, must be stored in CrowdFlower’s centralized store. It is not permitted to store such information in any other format.
CrowdFlower Issued Equipment
CrowdFlower provides all employees with an Apple laptop to effectively perform work.
All company-issued laptops are equipped with a provisioning profile.
- Ensures that laptops are encrypted
- Requires password entry when waking from sleep mode
- Allows CrowdFlower to remotely wipe the machine in the event of theft or loss
- Allows CrowdFlower to automatically apply OS and software security updates
Data Storage Protocols
All documents, files, and data must be stored in the company’s file storage accounts, revision control systems, or otherwise stored in a company-provided external system. Files may not be stored locally on laptops only. When a CrowdFlower employee or contractor terminates employment, all data stored on company-issued laptops is destroyed.
Data Security Policies and Training for CrowdFlower Employees and Contractors
All employees are issued an Employee Handbook, which includes policies regarding information and data security.
Copyright 2018 CrowdFlower Inc