Overview

This document attempts to address some of the most frequently asked questions that clients
and prospects ask iCapture about security, privacy and conformance to standards.

Location of Data

Q. Name of Hosting Provider/Datacenter facility that will store or process data. (Where
will the data be hosted?)

A. Google Cloud Compute Engine - US Central data centers.

Q. If this is a Cloud solution, which cloud architecture do you support (Multi-tenant or Multi-instance)?
A. Multi-tenant. iCapture can, optionally provide a instance specifically for you. Contact your sales representative for more information.

Q. Who from your company, the hosting provider, and anyone in your supply chain, has access to data?
A. Data is encrypted at rest, hosting provider does not access. Key employees only have access as needed. With the exception of business card transcription, iCapture  relies on no other parties for processing or storing data.

Q. In what countries are the data stored?
A. All data is stored in the United States. Contact your sales representative for information and pricing on customized instances in non-U.S. data centers.

Q. Do you allow your employees to store customer/end user data on their personal
devices?

A. All processing and storage of data is performed on iCaptures servers hosted in ISO 27001 certified data centers. Employees do not store customer data on their personal or work related devices.

Q. Explain the secure process that is used to load/interface data to/from your system.
A. Data is captured through the use of our proprietary mobile app and transferred over HTTPS using TLS v1.2 encryption to iCapture servers and then downloaded securely from our servers (Data Export) using HTTPS using TLS encryption or uploaded to a third party integration provider (optional) using some form of HTTPS.

Assessments

Q. What is your PCI DSS compliance Level? Describe how credit cards are handled,
including the name of the payment gateway, if applicable.

A. iCapture is not certified PCI DSS Compliant. Credit card payments are processed through PayJunction which is Level 1 PCI Compliant (the highest level for a service provider).

Q. What kind of independent third-party security program assessment has your
company completed?

A. iCapture is actively pursuing SSAE 16 SOC Type II certification. We intend be certified by 3Q2018.

Q. Will you make available a copy of the associated report or certificate from the
independent third-party assessment?

A. Yes, when it becomes available. We are in the process of selecting an assessment provider (see previous question). One requirement iCapture has of a provider is the ability to create a public-facing version.

Q. For your most recent independent third-party security program assessment: Were all identified Critical, High, and Medium risk findings/non-conformances/issues
remediated?

A. Although iCapture has not selected a third-party assessment firm we have had external assessments performed by companies such as Rapid7. Whenever a high risk issue is identified, iCapture policy is to remediate within 72 hours.

Q. Outside of formal certifications, with which other industry security standards and
frameworks does your security program align?

A. In addition to aggressively pursuing SSAE 16 SOC Type II certification, iCapture is self certified Privacy Shield compliant.

Q. How often are penetration tests performed for the in-scope systems?
A. iCapture performs penetration tests quarterly or more frequently as necessary.

Q. For your most recent penetration test, were all identified Critical, High, and Medium risk findings remediated? If no, explain plans to address.
A. Yes. High risks findings are reported to the management team, prioritized and remediated. iCapture policy is to have high risk items remediated within 72 hours of identification

Q. How often is vulnerability scanning performed?
A. iCapture performs vulnerability scans quarterly or more frequently as necessary.

Q. Are internet-facing and internal network systems included in vulnerability scans?
A. Yes, both internet facing and server internal networks considered in-scope and scanned at least quarterly.

Q. Were all identified High and Medium risk findings from the most recent vulnerability scan remediated?
A. Yes, findings are reported to the management team, prioritized and remediated. iCapture policy is that high risk issues are remediated within 72 hours of identification

Access Control

Q. Do you support federated single sign-on (SSO), which would allow us to leverage our own identity management solution to authenticate our users to your application?
A. Single sign-on as well as Federated Identity is available as an optional component of the iCapture service. Contact your sales representative for more information and pricing.

Q. If SSO is not supported, describe password and other authentication controls.
A. Authentication is a username and password pair with password complexity rules.

Q. If SSO is not supported, is multi-factor authentication available?
A. Multi-factor authentication such as SHA authenticators and SMS pin at login are available as an optional component of the iCapture service. Contact your sales representative for more information and pricing.

Q. Do you have formal procedures to request, approve, provision, de-provision, and
review access rights for our employees to all data and systems that process and
handle our data?

A. iCapture provides you with tools to manage access to your account. Custom processes can be implemented specifically for you. Contact your sales representative for more information and pricing.

Q. Do you have procedures in place to administer and manage system administrator
accounts?

A. This isn't available by default, but can be implemented as part of a custom agreement.

Q. Do you monitor the appropriate usage of system administrator accounts?
A. This isn't available by default, but can be implemented as part of a custom agreement.

Incident Management

Q. Do you have a 24x7x52 process to notify us in the event of a security incident
(breach)?

A. iCapture continuously monitors our systems. In the event of an data security breach, you will be notified with the details of the incident.

Q. Do you have network intrusion detection/intrusion prevention (IDS/IPS) systems in place for all Internet Points of Presence?
A. Google monitors at the network and host level. Our Servers have Host Intrusion Detection (HID) systems installed.

Q. Does your incident response plan include a process to determine if an information security incident has taken place?
A. Yes, privacy is paramount. Any incident is analyzed to determine if any data has been compromised.

Q. Do you have provisions in place (detection, revocation) in the event of the theft of a customer’s credentials?
A. Yes, in addition to strong one way having of passwords credentials are monitored and can be revoked.

Q. Do you have measures in place to disrupt the lifecycle of a malicious attack?
A. iCapture has processes to disrupt malicious attacks including frequent software patching, Intrusion Detection and host isolation.

Cryptography

Q. Do you encrypt data transmitted over a public network like the internet?
A. Data is only sent over public networks when captures are made and when delivering processed data back to you either directly or to an integration of your choosing. When data is sent over public networks encryption is used. TLS v1.2 is used from the mobile app to iCapture servers and is the preferred encryption for data export.

Q. Do you encrypt customer data at rest (on your database) within your environment?
A. iCapture uses both disk based key encryption as well data encryption when it is at rest.

Q. Do you encrypt employee laptops?
A. iCapture never stores customer data on employee devices regardless if the devices are portable. However, it is policy to encrypt all storage media used by iCapture.

Q. Do you encrypt backups (tape or disk)?
A. Yes, iCapture encrypts all backups with strong AES-256 encryption.

Q. Do you encrypt portable media (USB drives, tapes, etc.)
A. iCapture never stores customer data on portable media. However, it is our policy to encrypt all storage media regardless of portability.

Q. Do you have policies and procedures established and mechanisms implemented for effective key management?
A. iCapture maintains strict controls with limited access to all private encryption keys.

Q. Do you use strong, one-way cryptographic hash functions to store passwords?
A. Yes, all iCapture system passwords are salted and hashed with a strong one-way
cryptographic hash function.

Business Continuity/Disaster Recovery

Q. In the event of a disaster, describe when and how you would notify us of the event.
A. In the event of a disaster that impacts clients, iCapture would send an email to addresses on record outlining the situation.

Q. How often do you update and test your business continuity and IT disaster recovery plans?
A. Business continuity and disaster recovery is integrated into all our systems. For example, the iCapture mobile app allows you to capture data completely offline. Our business continuity and disaster recovery plans are updated and tested annually.

Q. What is your RTO (recovery time objective)?
A. iCapture’s RTO, the time to recover and be fully back online is less than four hours. During this time, it is important to note that capture services provided by the iCapture mobile app are fully functional.

Q. What is your RPO (recovery point objective)?
A. In the event of an IT disaster, iCapture’s RPO is zero data loss.

Operations Security

Q. Do you have controls to manage malware/malicious code?
A. iCapture uses an array of tools to control malware/malicious code including Host Intrusion Detection systems.

Q. Do you have logging and monitoring processes in place for your infrastructure and applications?
A. Google Cloud services monitors infrastructure. iCapture’s server and applications are logged and monitored by iCapture.

Q. Do you protect logs from unauthorized access or tampering?
A. Yes, iCapture has systems in place to detect log and recover log tampering.

Q. Do you review administrator and privileged account usage?
A. iCapture logs administrator and privileged account usage. Logs are routinely reviewed.

Q. Do you provide relevant APIs to provide logs and other event information to our
SIEM?

A. iCapture can optionally make logged information available to your SIEM. Contact your sales representative for more information and pricing.

Q. Are there policies, procedures and mechanisms implemented which define patch
management?

A. Yes, procedures are in place for patch management. Software patches are rigorously applied as they become available.

Q. How quickly are patches applied?
A . iCapture applies patches continuously as they become available and tested in a non-production environment.

Mobile Device Solution

Q. Is data encrypted in transit from a user’s device to the hosting platform?
A. Yes, data is transferred from our proprietary mobile app to iCapture servers over HTTPS using TLS v1.2 encryption.

Q. Are permissions required for the application to function normally?
A. No special permissions are required for the app and a basic questionnaire to function normally. If you choose to capture using the camera (business cards or badge scanning), microphone, or GPS (geolocation of the capture point) then permission to access the appropriate phone peripheral is required. Additionally, the app has the ability to send push notifications to the user. While this isn’t required for normal operation, access needs to be granted if push notifications are desired.

Q. Are users authenticated and authorized for the mobile application?
A. A unique install code us used to deploy your questionnaire to the app on mobile devices. This install code links devices to your account and questionnaires within your account.

Q. Are the user credentials persistent, which could allow access to the application until the token expires, and potentially after the employee leaves the company?
A. Questionnaires and thus app usage are deployed through iCapture’s install code
mechanism. Thus, no authorization token is needed. Questionnaires and therefore
authorization can be forcibly removed from the app from your centralized control panel.

Q. Is device/user specific data collected and stored from the application (i.e. location, credentials, etc.)?
A. Certain user information including GeoLocation can optionally be recorded. These
configuration options are available when setting up a questionnaire. No data is collected that you don’t explicitly design into your questionnaire.

Q. Is data stored locally on the mobile device?
A. Data is locally stored temporarily on the device until contact is made with the server. When operating with access to the Internet the data remains on the device only for a few seconds. If capturing offline, data persists until the device becomes online and the server acknowledges successful transmission of the data.

Supplier Relationships

Q. Do you ensure that your third-party partners adhere to your Security and Privacy
policies?

A. iCapture rarely relies on any third-party for providing our services. Currently we have agreements with Google (Cloud hosting services) and one other company for the purposes of business card transcription. Whenever we engage a third-party for services we confirm they will adhere to our Security and Privacy policies.

Privacy and Compliance

Q. Can you handle "model contract clause" requests from customers to meet EU
Directive compliance?

A. iCapture isn’t set up to handle model contract clause requests specifically, however we adhere to and our listed with EU-US Privacy Shield. See: https://www.privacyshield.gov/participant?id=a2zt0000000TOtYAAW

Q. Will personal data move across national borders or from Europe to the United States?
A. Depends on the capture location. Internally, data never leaves servers in the United States. However, if data is captured from a device that is physically outside of the United States, that data will cross a border either as the device is physically in transit or when data is uploaded to iCapture which hosts all its multi-tenant cloud services in the United States. Please note, iCapture does participate in EU-US Privacy Shield See:
https://www.privacyshield.gov/participant?id=a2zt0000000TOtYAAW

Contact your sales representative for multi-instance solutions that enable us to keep data confined to a non-United Stats region.

Q. How is consent (opt-in/opt-out) handled (particularly for EU employees)?
A. No data is captured on employees or anything unless you design collection of that data into your questionnaire. iCapture provides you the tools to handle required and optional data for capture.

Q. Explain how you comply with EU cookie law.
A. iCapture uses as part of our service a limited number of cookies. These cookies are EU Cookie law exempt as they are used for user-input, authentication and user-centric security.

See: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

Q. Are you authorized for the EU Binding Corporate Rules for data processes? If not and you handle/transfer personal information on a global basis, explain how you comply with global data transfer laws.
A. We adhere to and our listed with EU-US Privacy Shield. See:
https://www.privacyshield.gov/participant?id=a2zt0000000TOtYAAW

Information Transfer

Q. Is Personal Information handled by you processed and protected in accordance with global information protection laws, subpoena, EU data protection and litigation
freeze?

A. Yes, personal information is handled and protected in a way congruent with information production laws, subpoena and litigation freeze.

Q. In the event of a subpoena, do you logically segment and encrypt data so that it may be produced and recovered for a single customer only, without inadvertently
accessing another customer's data?

A. Yes, the iCapture database is logically segmented by client and further by questionnaire and even capture device. iCapture can safely retrieve only subpoenaed data.

Q. Do you support litigation holds (freeze of data from a specific point in time)?
A. Yes, captured data is stamped with the collection time and thus it is possible to copy and freeze over a collection timeframe. Captured data can’t be edited directly on our systems by design thus there is no need to look at complicated audit trails of manipulated data. Data can, of course be manipulated after download but that is outside the purview of iCapture.

Human Resources Security

Q. Do you perform background investigations for all personnel (employees and
contractors) who have access to infrastructure, servers, applications, and data?

A. Yes, all personnel is subjected to a preemployment screening process that includes
background investigations.

Q. Are all personnel who have access to systems or data trained for the secure handling of that information?
A. Yes, access is limited to those who need it and mandatory training is provided on both security and privacy.

Q. Is a disciplinary process in place for employees who knowingly deviate from policies?
A. Yes, no tolerance is given to personnel who willingly deviate from iCapture security and privacy policies.

Asset Management

Q. Is a process in place to wipe data from hardware before it is disposed or reused?
A. Sensitive data is not routinely stored on hardware in direct control of iCapture, rather with Google Cloud services. Google Cloud services are certified SAE 16 SOC Type II, ISO 27001, ISO 27017, ISO 27018 among others.

iCapture storage media is either NIST800-88 Clear, NIST800-88 Purge or shredded when being disposed.

Did this answer your question?