PacerPro Security

About PacerPro

PacerPro is a SaaS (Software as a Service) that provides document search and storage for information retrieved from the PACER (pacer.gov) system. We integrate a variety of software and service providers together. As such, our security policy is an amalgam of both our own policy and procedures and those of our upstream vendors.

Platform

Our application servers are hosted by Heroku, a PaaS (Platform as a Service) provider. They provide physical facility, servers, data storage, and networking for us. Their security policy may be accessed on the Internet.

Heroku Security Assessments and Compliance

Data Centers

Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:


  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

PCI

We use PCI compliant payment processor Braintree for encrypting and processing credit card payments. Heroku’s infrastructure provider is PCI Level 1 compliant.

Sarbanes-Oxley

As a publicly traded company in the United States, salesforce.com is audited annually and remains in compliance with the Sarbanes-Oxley (SOX) Act of 2002.

Data Practices

Access and Isolation

Customers are permitted to view only their own data and no one else's. We do this by attaching a security policy to every data query made on behalf of users (whether they are registered or guests). The policy will return data for that user or the user's organization. API or HTTPS queries for objects that are not allowed by the policy (i.e. data fishing) will return an HTTP-404/Not Found error. The policies are tested during our normal development process and each software change is tested against the entire suite of policies to prevent accidental leakage. In the event of an error, users may alert us via an "urgent" support request, whereupon we will fix the bug and release new software. We also run automated penetration testing to alert us to any software defects that we may not have detected through our normal testing process.


Site administrators may look at customer data for diagnostic purposes only. Access is controlled via password authentication. Administrative access is limited to designated individuals.

Encrypt Sensitive Data at Rest

All customer sensitive data, e.g. passwords, PACER credentials, and banking information, are encrypted and/or tokenized using industry standard encryption.

Encrypt Data in Transit

Our applications communicate over HTTPS at all times to protect sensitive data to and from customers. Attempts to communicate over HTTP are redirected to HTTPS.

Logging

We capture logs from our servers using the Logentries.com service. Sensitive data are redacted automatically before storage. Old logs are purged automatically after 30 days.

Audits

We test our application thoroughly and continuously before each release. These tests are automated so that every time there is a code change, the entire test suite is run. We include security tests in our code to prevent policy violations. We will not release anything into production until all tests are passing. In addition to testing, we run our code through a series of "static analysis" tools at Code Climate. These tools scan for security issues, which we address as they are detected. Finally we run a dynamic security scan using the Tin Foil Security service to identify any "well-known" security vulnerabilities.

Other Vendors

Service Purpose Policies SOC2/II FISMA Moderate PCI L1 SOX
Heroku PaaS https://www.heroku.com/policy/security Green checkmark Green checkmark Green checkmark Green checkmark
Sendgrid Out-bound email https://sendgrid.com/security Green checkmark Green checkmark
Cloud Mailin In-bound email https://www.cloudmailin.com/privacy Green checkmark Green checkmark Green checkmark
Amazon Web Services Document storage https://aws.amazon.com/security/ Green checkmark Green checkmark Green checkmark Green checkmark
Logentries Application logging https://docs.logentries.com/docs/security/ Green checkmark Green checkmark Green checkmark
Code Climate Static code analysis, security audting, style guide conformance https://codeclimate.com/security Green checkmark Green checkmark Green checkmark
Tinfoil Security Penetration testing https://www.tinfoilsecurity.com/security Green checkmark Green checkmark Green checkmark
Pivotal Tracker Project management https://www.pivotaltracker.com/help/articles/gdpr_and_data_security/
1Password Password management/encryption https://1password.com/legal/privacy/
Stripe Payment processing https://stripe.com/docs/security/stripe Green checkmark
Zendesk Help desk/customer support https://www.zendesk.com/company/policies-procedures/ Green checkmark Green checkmark