Security Architecture Narrative
Shuffl believes in delivering against the highest standards for our systems architecture to give our customers the peace of mind in the protection of their Personal Data. This involves rigor in the people, processes, and tools to protect all company assets. The security architecture is driven by policy against performance expectations, and enforcement of battle-tested architecture using the latest technologies available.
Shuffl to follow strict guidelines: a) to encrypt personal data in its lifecycle including transmission and at-rest (b) to help ensure the ongoing stability, confidentiality, integrity, availability and hardiness of platform services; (c) to restore timely access to personal data following an incident; and (d) for regular testing of organizational and technical safeguards in place.
Product and Application Architecture
Application security extends the security of the whole systems architecture. Shuffl adheres to industry best practices in software development to ensure application and platform security is of the highest standards.
Shuffl Infrastructure Access
Internal access design to ensure the right people have access to the right level of customer data.
If a role does not require access to customer data, access will be restricted.
Shuffl implements a uniform password policy for our internal systems and access to external systems where authentication is mandatory.
Customers who interact with our products through all endpoints must authenticate before accessing non-public customer data.
All personnel are required adhere to strict non-disclosure and confidentially agreements with respect to data.
Workstations
Shuffl workstations are hardened against logical and physical attacks by the following measures:
Operating system (OS) must be within one generation of current
Full-disk encryption
Onboard antivirus/anti-malware software
OS and AV automatically updated
Workstation compliance with these measures is evaluated on a semi-annual basis.
Remote Access
Shuffl employees work remotely on a regular basis and connect to production and internal IT systems via direct encrypted access to cloud services. Access to infrastructure is actively reviewed. Any anomalies are reported to the security team for further investigation. Team members joining or leaving include a respective on-boarding/off-boarding procedure is followed to ensure appropriate account access for the duration of their employment or engagement.
Penetration Testing
Shuffl commissions an external penetration test on an annual basis, during year-end. All findings are immediately reviewed and addressed to the satisfaction of the Managing Partners.
Physical Security
Shuffl's infrastructure is located within AWS. Shuffl does not have physical access to AWS infrastructure.
Risk Assessment
Shuffl updates its Cyber Risk Assessment on an annual basis in order to keep pace with the evolving threat landscape.
Standard Controls Satisfied
TSC CC6.6, CC6.7, CC7.1, CC7.2