PacerPro is a SaaS (Software as a Service) that provides document search and storage for information retrieved from the PACER (pacer.gov) system. We integrate a variety of software and service providers together. As such, our security policy is an amalgam of both our own policy and procedures and those of our upstream vendors.
Our application servers are hosted by Heroku, a PaaS (Platform as a Service) provider. They provide physical facility, servers, data storage, and networking for us. Their security policy may be accessed on the Internet.
Heroku Security Assessments and Compliance
Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
We use PCI compliant payment processor Braintree for encrypting and processing credit card payments. Heroku’s infrastructure provider is PCI Level 1 compliant.
As a publicly traded company in the United States, salesforce.com is audited annually and remains in compliance with the Sarbanes-Oxley (SOX) Act of 2002.
Access and Isolation
Customers are permitted to view only their own data and no one else's. We do this by attaching a security policy to every data query made on behalf of users (whether they are registered or guests). The policy will return data for that user or the user's organization. API or HTTPS queries for objects that are not allowed by the policy (i.e. data fishing) will return an HTTP-404/Not Found error. The policies are tested during our normal development process and each software change is tested against the entire suite of policies to prevent accidental leakage. In the event of an error, users may alert us via an "urgent" support request, whereupon we will fix the bug and release new software. We also run automated penetration testing to alert us to any software defects that we may not have detected through our normal testing process.
Site administrators may look at customer data for diagnostic purposes only. Access is controlled via password authentication. Administrative access is limited to designated individuals.
Encrypt Sensitive Data at Rest
All customer sensitive data, e.g. passwords, PACER credentials, and banking information, are encrypted and/or tokenized using industry standard encryption.
Encrypt Data in Transit
Our applications communicate over HTTPS at all times to protect sensitive data to and from customers. Attempts to communicate over HTTP are redirected to HTTPS.
We capture logs from our servers using the Logentries.com service. Sensitive data are redacted automatically before storage. Old logs are purged automatically after 30 days.
We test our application thoroughly and continuously before each release. These tests are automated so that every time there is a code change, the entire test suite is run. We include security tests in our code to prevent policy violations. We will not release anything into production until all tests are passing. In addition to testing, we run our code through a series of "static analysis" tools at Code Climate. These tools scan for security issues, which we address as they are detected. Finally we run a dynamic security scan using the Tin Foil Security service to identify any "well-known" security vulnerabilities.
|Service||Purpose||Policies||SOC2/II||FISMA Moderate||PCI L1||SOX|
|Cloud Mailin||In-bound email||https://www.cloudmailin.com/privacy|
|Amazon Web Services||Document storage||https://aws.amazon.com/security/|
|Code Climate||Static code analysis, security audting, style guide conformance||https://codeclimate.com/security|
|Tinfoil Security||Penetration testing||https://www.tinfoilsecurity.com/security|
|Pivotal Tracker||Project management||https://www.pivotaltracker.com/help/articles/gdpr_and_data_security/|
|Zendesk||Help desk/customer support||https://www.zendesk.com/company/policies-procedures/|