Security and Compliance

Compliance and Certification

GDPR

If you are dealing with any European Union data through a vendor (like Image-Charts), then you need a contractual agreement in place with each vendor so the EU knows you’re only doing business with companies that fully comply with the General Data Protection Regulation (GDPR).

Data Processing Addendum

A data processing agreement (DPA) - also known as a data processing addendum - is a contract between data controllers and data processors or data processors and subprocessors.

Learn More

Subprocessors

Under the GDPR, a sub-processor is any business or contractor customer data may pass through as a side effect of using Image-Chart's service

Learn More

PCI DSS

Image-Charts’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry.

Image-Charts does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.

Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns with a Image-Charts product, please contact security@image-charts.com.

Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.

If you would like to encrypt sensitive information that you send us, our PGP key can be found on Keybase with the fingerprint:

5979F08D86220A908A68AA2B33AF768DF5E057AA

We also have an open bug bounty for critical vulnerabilities report.

Infrastructure and Network Security

Physical Access Control

Image-Charts is hosted on Google Cloud Platform. Google data centers feature a layered security model, including extensive safeguards such as:

  • Custom-designed electronic access cards
  • Alarms
  • Vehicle access barriers
  • Perimeter fencing
  • Metal detectors
  • Biometrics

According to the Google Security Whitepaper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”

Image-Charts employees do not have physical access to Google data centers, servers, network equipment, or storage.

Logical Access Control

Image-Charts is the assigned administrator of its infrastructure on Google Cloud Platform, and only designated authorized Image-Charts operations team members to have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.

Third-Party Audit

Google Cloud Platform undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.

Business Continuity and Disaster Recovery

High Availability

Every part of the Image-Charts service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.

Business Continuity

Image-Charts keeps hourly encrypted backups of data in multiple regions on Google Cloud Platform. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.

Disaster Recovery

In the event of a region-wide outage, Image-Charts will bring up a duplicate environment in a different Google Cloud Platform region. The Image-Charts operations team has extensive experience performing full region migrations.

Corporate Security

Malware Protection

At Image-Charts, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities.

Risk Management

Image-Charts follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.

All Image-Charts product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Image-Charts’s operations team have secure shell (SSH) access to production servers.

We perform testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.

Image-Charts performs risk assessments throughout the product lifecycle per the standards outlined in HIPAA Security Rule, 45 CFR 164.308:

  • Before the integration of new system technologies and before changes are made to Image-Charts physical safeguards
  • While making changes to Image-Charts physical equipment and facilities that introduce new, untested configurations
  • Periodically as part of technical and non-technical assessments of the security rule requirements as well as in response to environmental or operational changes affecting security

Contingency Planning

The Image-Charts operations team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.

Security Policies

Image-Charts maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps.

Security Training

All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training.

All engineers review security policies as part of onboarding and are encouraged to review and contribute to policies via internal documentation. Any change to policy affecting the product is communicated as a pull request, such that all engineers can review and contribute before internal publication. Major updates are communicated via email to all Image-Charts employees.

Disclosure Policy

Image-Charts follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Image-Charts notifies customers of any data breaches as soon as possible via email and phone call, followed by multiple periodic updates throughout each day addressing progress and impact. Image-Charts Enterprise plans include a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations.

Image-Charts maintains a live report of operational uptime and issues on our status page. Any known incidents are reported there, as well as on our Twitter feed.