SECURITY PRACTICES
Effective: July 13, 2023
Sections
This page provides information about the security practices that we undertake to support delivery of our Re-TRAC Connect™ service, our RecycleSearch™ service, and our Re-TRAC™ platform (collectively, the "Services" and, individually, a "Service"). Terms used on this page but not defined have the meaning set forth in the Customer Terms of Service. "Emerge Knowledge," "we," "our," or "us" refer to Emerge Knowledge Design Inc., the owner of this website and the provider of the Services.
Compliance
The Services are hosted using the Amazon Web Services (AWS) EC2 platform and data center to achieve security, stability, and scalability. The environment that hosts the Services maintains multiple global compliance certifications including ISO/IEC 27001:2013, 27017:2015 and 27018:2014, PCI DSS 3.2 Level 1 Service Provider, and SOC 1, SOC 2 and SOC 3 audits (with semi-annual reports). For more information about AWS data center certification and compliance, please visit the AWS Security webpage and AWS Compliance webpage.
We maintain PCI compliance pass status, and scan all of our Internet-facing networks and systems with Six Sigma (99.9996%) accuracy, on a quarterly schedule.
Data Encryption
Data In Transit
We use industry-standard Transport Layer Security ("TLS") to create a secure connection, including all data sent between Users and our Services, with 128/256-bit Advanced Encryption Standard ("AES") encryption. There is no non-TLS option for connecting to our web services; all connections are made securely over Hypertext Transfer Protocol Secure (HTTPS).
Data At Rest
AWS EC2 servers are encrypted using AES-256 bit encryption enabling data-at-rest on all our EC2 servers.
Vulnerability Detection
We perform quarterly vulnerability, penetration, and intrusion detection scanning using QualysGuard PCI and Qualys SSL Labs services on a quarterly basis. This process detects programming vulnerabilities related to security, SSL / TLS security, other known issues and vulnerabilities. Vulnerability and security lists are monitored daily for Common Vulnerabilities and Exposures (CVE) whereby we remediate any findings that present a risk to our environment. We are committed to vulnerability detection monitoring towards protecting our production systems from unauthorized access or attack.
Network Security
We use AWS Network Access Control List (ACL) and AWS Security Groups to restrict access to systems. System firewalls are configured according to industry best practices and unnecessary ports are blocked. We securely connect to the AWS data center using 256-bit AES encryption.
Anti-Virus Protection
We maintain a centrally managed antivirus solution deployed across our work environments (Windows and macOS) that runs real-time monitoring with daily updates.
Incident Management & Response
In the event of a security breach, we will promptly notify our customers (via Notices contact) of any unauthorized access to your customer data. We have incident management procedures in place to handle such an event.
Personnel
All employees must pass a police background check prior to employment, and must read and agree with our policies. Only authorized personnel have access to the production system whereby administrative accounts have the minimum access required to perform their function (principle and practice of least-privilege), and administrative access to our production servers requires SSH keys. To successfully deliver the Services, some employees require access to customer data (to provide dedicated services and for testing and problem diagnosis); all actions are logged in the system. Upon termination, all authorized personnel and employee access is removed.