SECURITY STATEMENT
Compliance
|   | All INTOO LLC products are SOC2 Type 2 certified in the Trust Services Criteria category of Security. If you require a copy of our current SOC2 Type 2 report, please contact your customer success or sales manager for assistance. | 
|---|
Access and Authentication Controls
INTOO LLC restricts access to customer and confidential data on a business need to know basis. Access is granted based on one’s role within the organization. INTOO LLC enforces mandatory multi-factor authentication for all access to confidential data.
Data Handling and Data Privacy
Data privacy is taken seriously at INTOO LLC. We regularly monitor changing data privacy laws and regulations and update our policies and procedures accordingly. Data privacy training is provided to all employees upon hire and regularly thereafter. Data privacy is taken into consideration during all phases of application development.
- INTOO LLC maintains compliance with the European Union’s General Data Protection Regulation (GDPR).
- We rely on the E.U. Commission approved standard contractual clauses for data transfer from the EEA to the United States. We have policies and procedures in place to comply with any applicable data privacy laws.
For more information on types of data and for what purpose, please refer to the product tab of our Privacy Policy.
Data Encryption
INTOO LLC utilizes full end-to-end encryption. INTOO LLC requires HTTPS for all services using TLS 1.2 with only the most secure cipher suites. INTOO LLC leverages AWS for data encryption in transit (TLS) and at rest (AES-GCM 256). INTOO LLC currently uses the TLS-1-2-2017-01 Security Policy on AWS Application Load Balancers and within AWS CloudFront. INTOO LLC uses the AWS Key Management Service (KMS) to enable data at rest encryption across our products. We use this for encrypting data within databases (RDS), and data stored within S3. AWS KMS uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys.
Data Center Location
INTOO LLC operates within Amazon Web Services (AWS). AWS follows the Shared Responsibility Model. AWS is responsible for the security of the cloud, and INTOO LLC is responsible for security in the cloud. Information regarding the compliance of AWS data centers can be found on the AWS compliance website here. If you are required to review the data center SOC report, you can review the latest AWS SOC3 report located here: AWS SOC3 Report.
You are able to select your data storage location based on your data localization requirements. Currently we operate data centers in the United States and Europe.
| Product | Production Database | Disaster Recovery Database | 
|---|---|---|
| YourNextStep, INTOOCandidate, INTOOClient | Amazon AWS Data Center in the United States, Northern Virginia (us-east-1) | Amazon AWS Data Center in the United States, Ohio (us-east-2) | 
| Your-Latitude (Option 1)For customers wishing their data reside in the United States | Amazon AWS Data Center in the United States, Northern Virginia (us-east-1) | Amazon AWS Data Center in the United States, Ohio (us-east-2) | 
| Your-Latitude (Option 2)For customers wishing their data reside in the EU | Amazon AWS Data Center in Italy, Milan (eu-south-1) | Amazon AWS Data Center in Germany, Frankfurt (eu-central-1) | 
Data Backups and Retention
INTOO LLC maintains one year of database backups, audit, and application logs. These backups are stored encrypted in accordance with the Data Encryption section listed above. To submit a data deletion request, please use the Individual Rights Manager located in the footer of every page on our site..
Awareness and Training
All INTOO LLC employees complete mandatory security awareness and privacy training upon hire and at least once annually on an ongoing, regular basis. All INTOO LLC employees and contractors sign confidentiality and non-disclosure agreements upon hire and before access to company or customer data.
Business Continuity / Disaster Recovery
INTOO LLC engineers have designed highly scalable and resilient product architecture within AWS. Our product withstands sophisticated attacks and is highly adaptable. Our systems’ performance within the product architecture is monitored for key metrics, ensuring the load on any one system is within an acceptable range. Should any components become overloaded or experience a fault, automated processes will be executed to bring online additional temporary systems or to cycle out existing systems for new ones. Automation is built into the INTOO LLC architecture, so system monitoring, updates, and corrective actions can take place as needed with minimal to no downtime.
INTOO LLC maintains a full DR environment and tests the DR Plan on an annual basis to ensure RPO and RTO objectives can be met.
Code Security & Updates
The INTOO LLC egineering department leverages a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments. Application code is stored in a secure code repository with full version control. Code changes are peer reviewed and tested in a staging environment before they are pushed into production. The staging and production environments are logically separated, and no data is shared between them.
Logging and Monitoring:
INTOO LLC collects audit and application logs from all systems. These logs are stored encrypted in a centralized logging location facility separate from the system generating the logs. The log entries are in line with industry standards for audit trails. INTOO LLC maintains these logs for a period of one year for the business purpose of investigating past system activity.
Remote and mobile device management (RMM/MDM)
We secure our employees' machines and laptops using remove management and mobile device management tools to ensure that each device follows our information security standards, including encryption, patch management, and device controls.
Penetration Testing / Vulnerability Scanning
INTOO LLC conducts external penetration testing of our products on an annual basis. Further, INTOO LLC performs weekly scans using an industry-leading vulnerabilty scan tool. Any vulnerabilities found during these processes are added to our vulnerability tracking program.  Security Vulnerabilities are remediated in accordance with the following schedule:
| Priority | Critical (P0) | High (P1) | Medium (P2) | Low (P3) | 
|---|---|---|---|---|
| Remediation Timeline | 7 days | 14 days | 90 days | Discretionary | 
[Latest Page Update: 02/28/2023]
