Data Management
Welcome to Filtroo's Data Management Policy
At Filtroo, we prioritize the protection and management of your personal data. Here is how we handle and secure your information.
Data Management
Ensuring Data Security and Integrity
- Critical Data Masking: Yes, payment card data is masked and encrypted to ensure that access is limited to authorized individuals only.
- Protection of Digital Identities: We use AES 256-bit encryption for data at rest to secure digital identities.
- Data Collection and Storage: We only store personal information such as names, emails, and contact numbers. This data is not used beyond its intended purpose and can be deleted upon the tenant's request.
- Third-Party Access: Your data is completely secure. Third parties, including government agencies, do not have access to your data without proper authorization.
- Shared Logs and Resources: Yes, your data is completely encrypted and secure, ensuring that no critical information is revealed to third parties.
- Data-Integrity Monitoring: No, our data is stored in secured databases, and any alterations are logged within the system records.
- Data Loss Prevention (DLP): Yes, we have DLP solutions for web, email, and endpoints to prevent data loss.
- Customer Data Retention Policies: Yes, we enforce customer data retention policies through technical controls.
- External Infrastructure: No, we rely solely on our own infrastructure to ensure maximum data security.
- Backup Policies and Procedures: Our platform operates on the cloud, eliminating the need for removable storage devices. Data is securely destroyed when no longer required.
- Data Deletion: Our data cleansing process ensures that deleted data is completely wiped and cannot be accessed by other users.
- Identity Checks for Privileged Access: We have user roles for privileged members, and access is provided via OAuth 2.0. Identity checks are performed based on the resources accessed.
- De-provisioning Privileged Credentials: A support ticket must be raised for de-provisioning, and our backend team handles it promptly.
- Authentication of Privileged Accounts: High-privilege accounts are authenticated and managed to secure confidential data.
- Segregation of Duties: High-privilege roles are allocated to ensure no conflict of interest and proper segregation of duties.
- Emergency Privileged Access: In emergencies, tenants can request privileged access through customer support or their account manager, which is promptly granted from the backend.
- Monitoring and Logging Privileged Actions: Infrastructure logs are collected using AWS, and application-related logs are stored in Elastic Search and retained long-term.
- Mutual Authentication: Yes, strong authentication is enforced via AES 256-bit encryption.
- Audit Logs: Infrastructure and application-related logs are collected and retained long-term. Logs are regularly reviewed to ensure data integrity.
- ISPs and DDoS Protection: We use multiple ISPs for uninterrupted service and have gateways to protect against DDoS attacks.
- Historical Data Availability: No, historical data cannot be provided due to confidentiality.
- Downtime Plan: We ensure uninterrupted service even during upgrades and patches.
- Forensic Investigation: Yes, we can accommodate forensic investigations when necessary.
- Data Integrity and Quality Control: We follow defined quality control and testing processes to maintain system availability, confidentiality, and integrity.
- Data Classification and Access Control: We classify data based on type, value, sensitivity, and criticality and enforce appropriate access controls.
- Data Security and Lifecycle Management: We comply with data security and lifecycle management requirements, assigning stewardship and responsibilities as per compliance standards.
- Operating System Hardening: Operating systems are hardened to provide necessary services and support technical controls like antivirus and file integrity monitoring.
More Information
- Data Access Permissions: Access is based on Authentication, Authorization, and Accountability (AAA) principles, with least privilege access enforced.
- Physical Media Access: Role-based access control mechanisms are in place for physical media.
- Secure Disposal: Our data cleaning process ensures secure disposal, aligned with our Media Protection and Data Retention & Disposal policies.
- Environment Segregation: Development, test, and production environments are separate to ensure data integrity.
- Third-Party Data Access: Third parties, including subcontractors and sub-processors, do not have access to client-scoped data.
- Retention Policy: Logs are retained for at least 180 days to ensure compliance and security.
- Data Ownership: Data ownership is clearly defined in agreements, and data is deleted upon contract termination.
- Disposal Management: We ensure data is deleted or overwritten before disposing of any equipment, as per our Data Retention and Disposal Policy.
- Remote Access Monitoring: Data loss prevention techniques are enforced, even when endpoints are disconnected from the corporate network.
- Data Segmentation in Audit Logs: Since we are a multi-tenant system, audit logs contain information from all tenants and cannot be isolated.
- Data Security Controls: We have robust data security controls, including logical data isolation, encryption, and regular audits to ensure compliance and protect sensitive information with ISMS and GDPR.
- PCI Compliance: While we do not handle cardholder data, our security measures ensure that data is managed securely during its lifecycle.
- Access Control and Identity Verification: Access control policies ensure only authorized individuals access data, and identity verification is performed regularly.
Scope and Application of Policies
All actions, decisions, and procedures outlined in the company’s contracts and policies, as well as the enforcement of terms and conditions, will be the exclusive responsibility of Filtroo Estonia. Filtroo Estonia is the sole entity authorized to implement and oversee all measures detailed in these documents, ensuring adherence to relevant laws and regulations. The entity in the USA will not be involved in or held accountable for any of the activities or obligations set forth in these contracts and policies.
By engaging with our services, users acknowledge and agree that Filtroo Estonia will be solely responsible for managing all aspects of their interaction with the company's services, including data management, customer support, and the application of contractual terms.