Perspicace Security Measures

Effective Date: 4 October 2018

Capitalized terms that are not defined in these Security Measures have the meanings set forth in the Terms of Service or the Data Processing Addendum.

Security Overview

Perspicace Security Measures guide the implementation of controls, processes, and procedures governing the security of Perspicace and its customers. Our Security Measures reflect the following principles:

  • Align security and risk & controls activities with Perspicace strategies and objectives.

  • Leverage security and data protection mechanisms to facilitate confidentiality, integrity, and availability of data and assets.

  • Utilize Perspicace security resources efficiently and effectively.

  • Utilize monitoring and metrics to facilitate adequate performance of security related activities.

  • Manage security utilizing a risk based approach.

  • Implement measures designed to mitigate risks and potential impacts to an acceptable level.

  • Leverage industry security frameworks and best practices where relevant and applicable.

  • Leverage compliance/assurance processes as necessary.

  • Analyze identified or potential threats to Perspicace and its customers, provide reasonable remediation recommendations, and communicate results as appropriate.  

Data Center Security, Availability, and Disaster Recovery

  • Perspicace leverages leading data center providers (“Subprocessors”) to house our physical infrastructure.  

  • Our data center providers utilize an array of security equipment, techniques and procedures designed to control, monitor, and record access to the facilities.

  • Our Subprocesors have implemented solutions designed to protect against and mitigate the effects of DDoS attacks.    

  • We rely upon teams located in multiple geographies to support our platform and supporting infrastructure.  

  • Perspicace maintains geographically diverse data centers to facilitate infrastructure and service availability and continuity. 

  • Perspicace has a formally documented disaster recovery plan which is tested at least annually. Results of testing are documented and maintained.  

Application Level Security

  • Perspicace utilizes secure SSL (HTTPS) and HSTS Secure to manage website connections.

  • Perspicace utilizes Virtual Private Networks (VPNs), secure FTP (SSL/TLS) and SSH to manage secure connections and securely transfer data (encrypt authentication information and data files in transit).

  • When appropriate to the data classification and handling of sensitive data, Perspicace utilizes encryption at rest and in transit.

  • Our Subprocessors utilize Web Application Firewalls (WAFs), perform regular pen testing on the underlying hosting platforms, the results of which are analyzed and remediated (as appropriate).

Risk & Controls, Data Protection, Security and Privacy By Design

  • With each Customer engagement, Perspicace maps the end-to-end data flows, applies data classification and identifies appropriate risks and controls. Security and privacy by design helps mitigate the risk of noncompliance while delivering “manage by exception” cost-effectiveness and streamlined operations.

  • We regularly review industry best practices and reference architectures, and incorporate appropriate improvements to security, data protection and privacy practices.

  • Perspicace carefully reviews and selects our Subprocessors based upon their adherence to international standards, regulations and best practices across security, data protection, privacy and operational excellence.

PCI-DSS compliance

  • PCI-DSS (Payment Card Industry Data Security Standard) is a framework for developing a robust payment card data security process—including prevention, detection and appropriate reaction to security incidents. To learn more, visit the PCI Council’s website.

  • Our payment processor, Stripe, is fully PCI compliant. Sensitive card data is never handled by Perspicace. It goes directly to the payment processor’s servers; Perspicace doesn’t have access to this information. For general PCI-DSS questions, please contact our payment processor, Stripe.

Perspicace Building and Network Access

  • Physical access to Perspicace offices and access to the Perspicace internal network is restricted and monitored.  

Systems Access Control

  • Access to Perspicace systems is limited to appropriate personnel.

  • Perspicace subscribes to the principle of least privilege. For example, employees, system accounts, vendors, etc. are provided with the least amount of access appropriate and necessary for their job function.

  • Perspicace leverages multi-factor authentication and role-based access control.

Incident Response

  • In the event of an issue related to the security of Perspicace Services, Perspicace personnel follow a formal incident response process.  

  • We analyze identified or potential threats to Perspicace and its customers, provide reasonable remediation recommendations, and communicate results as appropriate.

Security Risk Management

Threat intelligence and risk assessment are key components of Perspicace information security program. Awareness and understanding of potential (and actual) threats guides the selection and implementation of appropriate security controls to mitigate risk. Potential security threats are identified, and assessed for severity and exploitability prior to being classified as risks. If risk mitigation is required, Perspicace personnel work with relevant stakeholders and system owners to remediate. The remediation efforts are tested to confirm the new measures/controls have achieved their intended purpose.