Data Storage and Security

How can I be sure that my data is safe with EvTrack? Where is the data hosted?

We take matters of data security very seriously at EvTrack. Our solution is hosted using the highly reliable Amazon AWS servers, which offer optimal uptime, and data security for our customers and the related visitor management and access control data.

Network Security

Our hosting partner is AWS and our servers are hosted in a world-class AWS data centre, that is protected by biometric locks and 24-hour surveillance. We ensure that our application is always up to date with the latest security patches. Our network is protected by redundant firewalls, secure HTTPS transport over public networks, regular audits, and Web Application Firewall (WAF) and Intrusion Detection Systems (IDS) which monitor and/or block malicious traffic and network attacks.

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones that are not accessible from the internet. Data transferred between EvTrack servers use a private network.

Encryption

  • The hard disks of all servers are encrypted.
  • Communications between you and EvTrack servers are encrypted via industry best practices: HTTPS and Transport Layer Security (TLS) over public networks.
  • Databases on EvTrackGuard app are encrypted with PKI RSA/AES scheme.

What information security controls are available / deployed?

Data Segregation:

EvTrack uses a multi-tenant data model to host all its applications. Each application is serviced from an individual virtual private cloud and each customer is uniquely identified by a tenant ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in tenant. Per this design, no customer has access to another customer’s data.

Secure credential storage

When it comes to secure credential storage, EvTrack follows best practices: Never storing passwords in a human-readable format, and only after a secure, salted, one-way hash (bcrypt).

Access control:

EvTrack has an in-built authentication module where it provides the ability for customers to define user names and assign access roles.

Encryption:

All data at rest is encrypted using AES standards with the keys being managed by AWS Key Management Service. All data in transit is encrypted using HTTPS FIPS-140-2 standard encryption.

Logs:

All the events and activities are logged. Application Audit Logs within the Admin console (Report > Audit Report) captures the user activities and configuration changes or all users. These logs are read-only and also encrypted for protection.

Where is the data backed up? Will we lose any data?

A continuous backup is maintained in different data centres to support a system failover if it were to occur in the primary datacenter. Data is backed up to persistent storage every day and retained for the last seven days.

All backups are encrypted using AES 256-bit encryption and keys being managed through AWS Key Management Services (KMS).

What data does EvTrack have access to? What data of ours does EvTrack analyze?

By Default, EvTrack does not have access to any of the customer's data. In case a customer wants an EvTrack representative to work on their account, they have to add them as an occasional agent.

EvTrack stores and processes customer data, where data refers to all electronic data, messages, or other material submitted to EvTrack by the customer through the customer’s account in connection with the customer’s use of EvTrack’s service(s). This data is processed in compliance with applicable laws and regulations for the purpose of providing services in the EvTrack Visitor and Access Control Management System. As a data processor, EvTrack performs operations or set of operations on this data in relation to services offered.

‘Data hosted’ means data stored for the delivery of services we provide as a data processor and includes data stored for backup.

How do I erase all the data in my account?

Data Deletion post account termination: Any data deleted will be erased 14 days post date of termination.

Do you process personal data/PII?

Being the data controller, the customer gets to decide what data to host/process in EvTrack. EvTrack processes data in accordance with your terms of service

What is EvTrack’s Data Retention Policy

Data is retained as long as the customer is active and using our products. If any delete is performed by the users (tenants, admin, etc…) - then the delete is immediate. However, logs will be retained. These archived logs would also be purged automatically after 12 months. The log will just contain only information about the action or event and associated details. Logs will not have any data including PII.

Upon Account Termination, all account data will be deleted after 14 days from the date of termination. Logs will be retained as mentioned above.

What measures are taken to ensure Secure Development?

  • Engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and EvTrack security controls.
  • Testing and staging environments are separated both physically and logically from the production environment.
  • Systems are updated and patched on every release. Releases are pushed every 4 weeks at EvTrack.
  • The source code repositories are continuously scanned for security issues via our integrated static analysis tool.

What additional security measures is EvTrack taking?

  • EvTrack performs background checks on all new employees in accordance with local laws.
  • All newly-hired employees are screened through the hiring process and required to sign Non-Disclosure and Confidentiality Agreements.