Security Policy
Last Updated January 12, 2020
1. Introduction
Keeping your data secure, confidential, and readily accessible are SalonTouch’s greatest priorities. Our hosting provider, TierPoint, provides industry-leading security based on the concept of defense in depth: securing our organization, and users’ data, at every layer. Our payments platform is PCI DSS Level 1 service provider certified. While no system can guard against every potential threat, SalonTouch’s defensive line is advanced and monitored 24/7, 365 days a year by highly trained professionals. The focus of TierPoint’s security program is to prevent unauthorized access to user data. To this end, there is a team of dedicated security practitioners that take exhaustive steps to identify and mitigate risks, implement best practices, and continuously develop ways to improve.
2. This Agreement
This Security Policy should be read in conjunction with the Privacy Policy. This Security Policy contains defined terms, which are defined elsewhere in the Agreement. Please refer to these defined terms in reviewing this Security Policy. When you access, view or use any part of the SalonTouch Services, you are accepting the terms and conditions of this Agreement. If you are agreeing to this Security Policy on behalf of a corporation or other legal entity, you represent that you have the authority to bind such entity and its affiliates to the Agreement. If you do not have such authority, you must not enter into this Agreement and may not use any of our services or content. Having considered the above preliminary matters and mutual agreements below, the Parties hereby agree as follows:
3. Secure by Design
TierPoint’s security team has built a robust, secure development lifecycle, which utilizes external/internal penetration testing. While TierPoint strives to catch all vulnerabilities in the design and testing phases, we realize that sometimes, mistakes happen. With this in mind, if you feel there may be security a breach, we ask you contact [email protected] to facilitate responsible disclosure of potential security vulnerabilities. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution.
4. Encryption
4. Network Protection
Network access to SalonTouch’s production environment from open, public networks (the Internet) is restricted, with only a small number of production services accessible from the Internet. Only those network protocols essential for the delivery of SALONTOUCH’s Service to its users are open at our perimeter. SalonTouch utilizes TierPoint’s services for redundancy and performance of services. All secure servers are protected by firewalls, best-of-class router technology, TLS encryption, file integrity monitoring, and network intrusion detection that identifies malicious traffic and network attacks.
All networks are monitored using a Security Incident Event Management (“SIEM”) system that gathers logs from all network systems and creates alert triggers based on correlated events.
5. Expectations
A. User Expectations. TierPoint maintains the security of our server, however, you as a SalonTouch user are responsible for implementing other security practices. We recommend that you:
SalonTouch is certified as a Level 1 Service Provider under PCI DSS Version 3.2. Any merchant who accepts Visa, MasterCard, American Express, or Discover credit cards for payment is subject to the Payment Card Industry Data Security Standard (“PCI DSS”), which outlines credit card processing merchants' responsibilities for the protection of Cardholder Data. We strongly recommend you follow the requirements of the PCI DSS when handling Cardholder Data. Please refer to the PCI DSS website for a complete list of all rules and restrictions that may apply.
At a minimum, you must:
DISCLAIMER OF RESPONSIBILITY FOR CARDHOLDER DATA. If you use the optional Payment Processing Service to process payments, SalonTouch is responsible for protecting Cardholder Data only after such Cardholder Data is encrypted and received by SalonTouch’s system(s). You remain responsible for the proper handling and protection of Cardholder Data until such Cardholder Data is encrypted and received by SalonTouch’s system(s).
6. Changes to the Security Policy
We may, in our sole discretion, make changes to this Security Policy from time to time. Any changes we make will become effective when we post a modified version of the Security Policy to Our Website, and we agree the changes will not be retroactive. If you have any questions regarding this Security Policy you can contact us by email at, [email protected] or by mail at:
SALONTOUCH
ATTN: SalonTouch Security
3070 WINDWARD PLAZA, STE F #308
Alpharetta, GA 30005
Keeping your data secure, confidential, and readily accessible are SalonTouch’s greatest priorities. Our hosting provider, TierPoint, provides industry-leading security based on the concept of defense in depth: securing our organization, and users’ data, at every layer. Our payments platform is PCI DSS Level 1 service provider certified. While no system can guard against every potential threat, SalonTouch’s defensive line is advanced and monitored 24/7, 365 days a year by highly trained professionals. The focus of TierPoint’s security program is to prevent unauthorized access to user data. To this end, there is a team of dedicated security practitioners that take exhaustive steps to identify and mitigate risks, implement best practices, and continuously develop ways to improve.
2. This Agreement
This Security Policy should be read in conjunction with the Privacy Policy. This Security Policy contains defined terms, which are defined elsewhere in the Agreement. Please refer to these defined terms in reviewing this Security Policy. When you access, view or use any part of the SalonTouch Services, you are accepting the terms and conditions of this Agreement. If you are agreeing to this Security Policy on behalf of a corporation or other legal entity, you represent that you have the authority to bind such entity and its affiliates to the Agreement. If you do not have such authority, you must not enter into this Agreement and may not use any of our services or content. Having considered the above preliminary matters and mutual agreements below, the Parties hereby agree as follows:
3. Secure by Design
TierPoint’s security team has built a robust, secure development lifecycle, which utilizes external/internal penetration testing. While TierPoint strives to catch all vulnerabilities in the design and testing phases, we realize that sometimes, mistakes happen. With this in mind, if you feel there may be security a breach, we ask you contact [email protected] to facilitate responsible disclosure of potential security vulnerabilities. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution.
4. Encryption
- Data in transit All data transmitted between SalonTouch users and the SalonTouch Services is done so using strong encryption protocols. SalonTouch supports the latest recommended SSL certificates encrypt all traffic in transit, including the use of TLS 1.2 protocols and AES256 encryption.
- Data at Rest Credit Card data at rest in SalonTouch’s production network is encrypted using industry standards for data encryption or stored as Tokens which are create and stored by our merchant partners. All encryption keys are stored in a secure server on a segregated network with limited access. SalonTouch has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials. Each SalonTouch user’s data is hosted in our shared infrastructure and logically separated from other users’ data. We use a combination of storage technologies to ensure user data is protected from hardware failures and returns quickly when requested.
4. Network Protection
Network access to SalonTouch’s production environment from open, public networks (the Internet) is restricted, with only a small number of production services accessible from the Internet. Only those network protocols essential for the delivery of SALONTOUCH’s Service to its users are open at our perimeter. SalonTouch utilizes TierPoint’s services for redundancy and performance of services. All secure servers are protected by firewalls, best-of-class router technology, TLS encryption, file integrity monitoring, and network intrusion detection that identifies malicious traffic and network attacks.
- Access Control. To minimize the risk of data exposure, SalonTouch employees and affiliates are only authorized to access data that they reasonably must handle to fulfill their current job responsibilities.
- System Monitoring, Logging, and Alerting. TierPoint monitors servers and networks to maintain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers hosting sensitive data in the SalonTouch production network are logged, analyzed, and retained in accordance with PCI and HITRUST requirements.
All networks are monitored using a Security Incident Event Management (“SIEM”) system that gathers logs from all network systems and creates alert triggers based on correlated events.
- Hosting Providers Our hosting and cloud service providers are PCI compliant and have completed the industry standard SOC 2 certifications. This includes controls and processes such as multi-factor authentication, role-based access controls (“RBAC”), redundant utilities, and strict change management processes. No computer system or information can ever be fully protected against every possible threat. SalonTouch is committed to providing reasonable and appropriate security controls to protect our services, Websites, and information against foreseeable threats. If you have any questions about security, you can contact us at [email protected].
5. Expectations
A. User Expectations. TierPoint maintains the security of our server, however, you as a SalonTouch user are responsible for implementing other security practices. We recommend that you:
- Maintain an appropriate level of security (both physical and logical) for all local systems (including but not limited to networks, desktop computers, credit card readers, tablets, and mobile devices);
- Install appropriate anti-virus and anti-malware protection;
- Enable web browser auto-updates;
- Implement a robust operating system and software patching process;
- Implement secure user and password management processes, including periodic password changes, deleting user accounts promptly after staff departures;
- Replace old peripherals and hardware with more modern and secure alternatives;
- For example, replace systems with non-supported operating systems
- For example, replace swipes with EMV devices
- Use the SalonTouch systems as designed;
- Restrict access to consumer data if there is no business need for the team member to view;
- Use at least TLS v1.2 when connecting to the internet; and
- Notify SalonTouch immediately of any suspected compromise or unusual account activity by sending an email to [email protected].
SalonTouch is certified as a Level 1 Service Provider under PCI DSS Version 3.2. Any merchant who accepts Visa, MasterCard, American Express, or Discover credit cards for payment is subject to the Payment Card Industry Data Security Standard (“PCI DSS”), which outlines credit card processing merchants' responsibilities for the protection of Cardholder Data. We strongly recommend you follow the requirements of the PCI DSS when handling Cardholder Data. Please refer to the PCI DSS website for a complete list of all rules and restrictions that may apply.
At a minimum, you must:
- Maintain updated anti-virus software on all workstations engaged in credit card processing and remove any programs that the anti-virus software flags as potentially malicious;
- Restrict permission to install software on those computers to users, business owner and/or trusted senior staff;
- Maintain up-to-date versions of operating systems (e.g., Microsoft) and applications (e.g., Microsoft Office, Adobe Reader, Google Chrome), with all security updates and patches installed;
- Ensure that every individual that logs into the services has a unique username and password that is known only by that individual;
- Only store credit card account numbers in encrypted credit card fields designed for that purpose or grade to Token base encryption; and
- Destroy any hard copy documents that have Cardholder Data written on them.
DISCLAIMER OF RESPONSIBILITY FOR CARDHOLDER DATA. If you use the optional Payment Processing Service to process payments, SalonTouch is responsible for protecting Cardholder Data only after such Cardholder Data is encrypted and received by SalonTouch’s system(s). You remain responsible for the proper handling and protection of Cardholder Data until such Cardholder Data is encrypted and received by SalonTouch’s system(s).
6. Changes to the Security Policy
We may, in our sole discretion, make changes to this Security Policy from time to time. Any changes we make will become effective when we post a modified version of the Security Policy to Our Website, and we agree the changes will not be retroactive. If you have any questions regarding this Security Policy you can contact us by email at, [email protected] or by mail at:
SALONTOUCH
ATTN: SalonTouch Security
3070 WINDWARD PLAZA, STE F #308
Alpharetta, GA 30005