Security & Compliance Policy
Effective: October 27 2019
Iconic Live is committed to the security of your application’s data. As part of this commitment, we use a variety of industry-standard security technologies and procedures to protect your information from unauthorized access, use, or disclosure.
The Iconic Live security program is led by the Chief Technology Officer and is responsible for the following areas:
- Application Security
- Infrastructure and Network Security
- Corporate Security
- Physical Security
Our primary data center, where data is stored and encrypted at rest, is located in the AWS ap-southeast-2 (Sydney) region. We also utilize a global points-of-presence network to deliver fast and reliable experience to users anywhere in the world. Our data center provider complies with top certifications, including ISO 27001, AICPA SOC 2 and 3, PCI DSS, HIPAA, and more.
Meeting Your Compliance Requirements
For Iconic Live Compliant SaaS accounts, all raw data is encrypted at rest. The data that is being requested is decrypted only when requested by an authenticated member of the subscription. This provides an additional level of protection should Iconic Live ever encounter a breach of its infrastructure. In this case, if data was ever lost, it would be protected by the best industry standards in encryption technology and the data would be useless to the attacker since it would appear to be randomized data.
All data in transit is sent through https (TLS) encrypted connections. This ensures the confidentiality and integrity of the data sent between the Iconic Live application and the customer.
On designated plans with data encryption at rest, data removal can be accomplished by destroying the customer’s encryption key from the Iconic Live encryption key store. This will have the same effect of removing the data from the database. This option would normally be used to remove all account data.
On plans that do not use the database encryption, data can be purged from the database and will fall out of backups over seven days. This option is also used for one-off deletions of specific data.
Customized Data Retention
Iconic Live’s standard data retention is 365 days. Through our Compliant SaaS solution we may accommodate data retention plans of varying lengths to meet your compliance and regulatory requirements.
Access to account data by Iconic Live employees is limited to a necessary set of users consistent with their assigned Iconic Live responsibilities. At Iconic Live, we believe in the concepts of ‘need to know’ and ‘least privileged’.
In addition to this, you are ultimately in control of what data is sent to Iconic Live. We provide you the ability to filter out information you don’t want to send to Iconic Live in the client configuration. This may be due to regulatory issues like PCI-DSS, or any other possible privacy concern that you might have.
Contingency Plans and Operations
We have a documented and tested Contingency Plan and Disaster Recovery plan. These plans are tested at least annually or when there is a major change in the Iconic Live environment. Lessons learned from the tests are compiled and are remediated by our engineering department.
We engage in performing Risk Management on a regular basis and update the Risk Management document as items progress. However, the official Risk Management document is reviewed and updated on an annual basis. Our main goals in Risk Management are the continuation of the Iconic Live service along with the confidentiality, integrity, and availability of customer data.
We have the following security policies and will make them available for customer review under an NDA. All policies are updated as needed.
- Production Data Usage Policy
- Access Control Policy
- Iconic Live Vulnerability and Patch Management Policy
- Responsible Disclosure Policy
Iconic Live aims to keep our service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in our service, we appreciate your help in disclosing it to us in a responsible manner. For more information, please see our Responsible Disclosure Policy.