1. Introduction

ImpactMapper, PBC ("ImpactMapper") is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic personal information (PI) it receives, maintains, processes and/or transmits on behalf of its Customers. ImpactMapper strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by ImpactMapper to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit data for ImpactMapper Customers.ImpactMapper provides secure and compliant cloud-based software. This software is cited throughout polices also as ImpactMapper System or simply application.

1.2 Compliance Inheritance

ImpactMapper provides secure hosted software infrastructure for its Customers.ImpactMapper has been through internal audits to validate and map organizational policies and technical controls to GDPR rules. ImpactMapper's service offerings are hosted on AWS. ImpactMapper has signed the following agreements through AWS Artifact:

Some of the AWS Compliance Programs are inheritable, please contact us to clarify any compliance questions.

1.3 ImpactMapper Organizational Concepts

The physical infrastructure environment is hosted at Amazon Web Services (AWS).The network components and supporting network infrastructure are contained within the AWS infrastructures and managed by AWS (respectively). ImpactMapper does not have physical access into the network components. The ImpactMapper environment consists of nginx web servers; Node and Ruby application servers; PostgreSQL database servers; Log stash logging servers; Linux Ubuntu monitoring servers; Docker containers; and developer tool servers running on Linux Ubuntu.

Within the ImpactMapper System on AWS, all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers - those hosting Docker containers, databases, APIs, log servers, etc. ImpactMapper assumes all data *may* contain PI, even though our assessment does not indicate this is the case, and provides appropriate protections based on that assumption.

The data and network segmentation mechanism differs depending on the primitives offered by the underlying cloud provider infrastructure.

AWS Security Groups are configured to restrict access to only justified ports and protocols. ImpactMapper has implemented strict logical access controls so that only authorized personnel are given access to the internal management servers.
The environment is configured so that data is transmitted from the load balancers to the application servers over an TLS encrypted session.

The nginx web server, and application servers are externally facing and accessible via the Internet. The database servers, where the PI resides, are located on the internal ImpactMapper network and can only be accessed through a bastion host. Access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business-justified reason. Remote access to internal servers is not accessible except through load balancers.
All systems and operating systems are tested end-to-end for usability, security, and impact prior to deployment to production.

2. Data Management Policy

ImpactMapper has procedures to create and maintain retrievable exact copies ofelectronic personal information (PI) stored in conjunction withImpactMapper Customer Content.The policy and procedures will assure that complete, accurate, retrievable, andtested backups are available for all systems used by ImpactMapper.
Data backup is an important part of the day-to-day operations of ImpactMapper.To protect the confidentiality, integrity, and availability of PI, both forImpactMapper and ImpactMapper Customers, complete backups are done daily toassure that data remains available when it needed and in case of a disaster.
Violation of this policy and its procedures by workforce members may result incorrective disciplinary action, up to and including termination of employment.

2.1 Backup Policy and Procedures

  1. Perform daily snapshot backups of all systems that process, store, or   transmit PI and Customer Content for ImpactMapper Customers.
  2. The ImpactMapper Ops Team is designated to be in charge of backups.
  3. Dev Ops Team members are trained and assigned to complete backups and manage   the backup media.
  4. Document backups: Name of the system, Date & time of backup, Where backup stored (or to whom it was provided)
  5. Securely encrypt stored backups in a manner that protects them from loss or environmental damage.
  6. Test backups annually and document that files have been completely and accurately restored from the backup media.

3. System Access Policy

Access to ImpactMapper systems and application is limited for all users,including but not limited to workforce members, volunteers, businessassociates, contracted providers, and consultants. Access by any other entityis allowable only on a minimum necessary basis. All users are responsible forreporting an incident of unauthorized user or access of the organization'sinformation systems. These safeguards have been established to address theGDPR Security regulations including the following:

3.1 Access Authorization

3.2 Person or Entity Authentication

3.3 Unique User Identification

  1. Access to the ImpactMapper Platform systems and applications is controlled by   requiring unique User Login IDs and passwords for each individual user and developer.
  2. Passwords requirements mandate strong password controls (see below).
  3. Passwords are not displayed at any time and are not transmitted or stored in plain text.
  4. Shared accounts are not allowed within ImpactMapper systems or networks.
  5. Automated log-on configurations that store user passwords or bypass password entry are not permitted for use with ImpactMapper workstations or production   systems.

3.4 Automatic Logoff

  1. Users are required to make information systems inaccessible by any other   individual when unattended by the users (ex. by using a password protected screen saver or logging off the system).
  2. Passwords requirements mandate strong password controls (see below).

3.5 Password Management

← Back to Legal