Last Updated — November 11th, 2020

Security at Sensible

1. Process Level Requirements

a. Sensible shall implement user termination controls that include access removal / disablement promptly upon termination of staff.

b. Documented change control process will be used to record and approve all major releases in Sensible’s environment.

c. Sensible shall have and maintain a patch management process to implement patches in a reasonable, risk-based timeframe.

d. Sensible shall provide annual Security Training to all personnel. “Security Training” shall address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms. Training materials should address industry standard topics which include, but are not limited to:

  • The importance of information security and proper handling of personal information.  
  • Physical controls such as visitor protocols, safeguarding portable devices and proper data destruction.
  • Logical controls related to strong password selection/best practices.
  • How to recognize social engineering attacks such as phishing.


2. Network Requirements

a. Sensible shall use firewall(s), Security Groups/VPCs, or similar technology to protect servers storing Customer Personal Data.


3. Hosting Requirements

a. Servers that process Customer Personal Data shall be protected from unauthorized access with appropriate physical security mechanisms including, but not limited to, badge access control, secure perimeter, and enforced user provisioning controls (i.e. appropriate authorization of new accounts, timely account terminations and frequent user account reviews). These physical security mechanisms are provided by data center partners such as, but not limited to, AWS, Microsoft, and Google. All cloud-hosted systems shall be scanned, where applicable and where approved by the cloud service provider.

b. Cloud Environment Data Segregation: Customer Personal Data will be virtually segregated in accordance with its established procedures. The Customer instance of Service may be on servers used by other non-Customer instances.


4. Application-Level Requirements

a. Sensible shall maintain documentation on overall application architecture, process flows, and security features for applications handling Customer Personal Data.

b. Sensible shall employ secure programming techniques and protocols in the development of applications handling Customer Personal Data.

c. Sensible shall employ industry standard scanning tools and/or code review practices, as applicable, to identify application vulnerabilities prior to release.


5. Data-Level Requirements

a. Encryption and hashing protocols used for Customer Personal Data in transit and at rest shall support NIST approved encryption standards (e.g. SSH, TLS).

b. Sensible shall ensure laptop disk encryption.

c. Sensible shall ensure that access to Customer Personal Data and application system functions is restricted to authorized personnel with a business need for such access.

d. Customer Personal Data stored on archive or backup systems shall be stored at the same level of security or better than the data stored on operating systems.


6. Compliance Requirements

a. Sensible shall adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to building access control and employee security awareness education.

b. Sensible will, when and to the extent legally permissible, perform criminal background verification checks on all of its employees with access to Customer Personal Data. Such background checks shall be carried out in accordance with relevant laws, regulations, and ethics.

c. Sensible will maintain an Information Security Policy (ISP) that is reviewed and approved annually at the executive level.


7. Shared Responsibility

Sensible’s Services require a shared responsibility model. For example, Customer must maintain controls over Customer user accounts and access tokens.

Disclosure Policy

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@sensible.so. We will acknowledge your email within five business days.

Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.

Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Sensible service. Please only interact with domains you own or for which you have explicit permission from the account holder.

Exclusions

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of Sensible employees or contractors
  • Any attacks against Sensible's physical property or data centers



Get Sensible — The powerful document query language that provides full control over the parsing process
Get early access
Request sent
Oops! Something went wrong while submitting the form.