Security Statement


Security Statement

Data Center

Grapevine’s servers are hosted with Rogers Tier III data center located in Canada. This data center is a secure facility equipped to handle the high-power density, bandwidth, and low latency required by our business. It is a fully certified Soc 2 Type II and PCI DSS compliant facility. Some of the features employed include:

Power
  • N+1 UPS
  • A+B power to every cabinet
  • 9MW utility feed
  • Continuous run diesel generators
Management
  • Trained technical staff
  • 24/7 monitoring dedicated on-site access control system
  • Vital infrastructure and environmental controls monitored by a dedicated network operations center {NOC} team
Cooling
  • Outside ambient air cooling, evaporative cooling, and mechanical chilling systems with N+1 redundancy. 
  • Steam and ultrasonic humidification
Security
  • Card Access with Biometric Retina Scanning for verifying access
  • All Access to the site is logged
  • CCTV surveillance throughout the facility
  • Multi-zoned, pre-action sprinkler system
  • Sophisticated alerting and monitoring equipment
Connectivity
  • Multiple fibre entrances
  • Multiple carriers present

Network

  • Servers are continually monitored for unscheduled outages. 
  • A hardware-based firewall appliance is employed with IDS and Port Filter/NAT enabled for required services. 
  • Latest server security patches are scheduled and applied as needed. 
  • Access to the servers for management purposes is limited to appropriate roles and requires SSL/VPN (with multifactor authentication). 
  • Event and firewall logging are utilized for auditing access as needed. 
  • Data loss prevention (DLP) or extrusion prevention mechanisms are implemented on all systems/devices in order to prevent data leakage.
  • All end-user devices have centrally managed full disk encryption, virus/anti- maleware protection and firewall features enabled. 
  • Our network support provider has been appropriately screened and is bound under contract to a non-disclosure confidentiality agreement.

Backup Storage

  • Transaction log backups are executed hourly, with full database backups performed daily. 
  • All backups are encrypted at rest. Full database backup files remain on the server for 14 days to facilitate customer restoration or inquiry purposes. 
  • Bare metal backups (Image based Volume Level backups) are performed twice daily for all servers with a current retention of 90 days.

Application

  • We use Moneris as our hosted payment page provider, as such we do not collect or store any credit card details in our database.

  • Customer data stored in the database is logically separated with appropriate access controls.

  • SSL/TLS Encryption (transport layer security) is enforced for all data transmitted to/from Grapevine services.
  • Customer passwords are required to meet specific complexity requirements and are obfuscated in the database (salted and hashed). Customers must themselves be responsible stewards of the data, ensuring they protect their passwords and any information they collect from respondents and subsequently access/download from our services.

  • An encrypted cookie containing authentication/session identification is utilized. Password are not stored in this authentication cookie.

  • Temporary files created by the application or uploaded for use in servicing Customer requests are stored in a secure folder and purged either immediately after use or within 1 hour of creation.

  • Report pdf files created by the application for use in servicing Customer distribution requests are stored in a secure folder and are purged from the system after 30 days.

  • The application provides the facility for Customers to export a survey’s data including all questions, responses, and rater/respondent details.

  • The application provides the facility for Customers to delete survey data including any/all questions, responses, and rater/respondent details.
  • In some instances, we make use of soft deletes (flagging a record for deletion) to better meet the restoration needs of Customers who mistakenly delete content. Soft delete records are purged from the system within 7 days.

  • For Customer (account-wide) delete requests:
    please contact dataprotection@grapevineevaluations.com and your request will be processed within 30 days.
  • Although delete requests are handled as expeditiously as possible, Customer data may continue to reside in image volume backups for up to 104 days (14 daily backup files + 90 day image volume backups).
Revised July 1 , 2020
Share by: