Security Policy

Introduction

This Security Statement is intended to provide transparency about our security infrastructure and practices, to help reassure you that your data is appropriately protected. We recommend that you read this along with our DPA.

Last Modified: 5 May 2018

PCI Compliance

Pay With Bolt is a PCI DSS Level 1 certified service provider. This means our systems and processes are fully PCI compliant, and that we are audited by a certified third party on an annual basis. We use Forgenix as our qualified security assessor (QSA), and a record of our certification can be found on Visa’s website here:

https://www.visaeurope.com/receiving-payments/security/downloads-and-resources

Download: Visa Europe Member Agent Weblisting

Our attestation of compliance (AOC) is available on request.

User Security

User Authentication: User data in our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. Pay with Bolt issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.

Passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed. We never solicit user passwords.

Data Encryption: Certain sensitive user data, such as credit card tokens and account passwords, are stored in encrypted format.

Data Residency and Jurisdiction: Pay with Bolt data is stored in in Amazon data centres in Ireland (eu-west-1).

Physical Security

All Pay with Bolt information systems and infrastructure are hosted on Amazon AWS infrastructure, Pay with Bolt’s employees do not have any physical access to our production environment.

Here are more details about security setup of AWS.

“Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, with military grade perimeter control berms. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in. They are also continually escorted by authorized staff.”

In addition to physical security, being on AWS platform also provides us significant protection against traditional network security issues on the infrastructure such as

  • Distributed Denial Of Service (DDoS) Attacks
  • Man In the Middle (MITM) Attacks
  • IP Spoofing
  • Port Scanning
  • Packet sniffing by other tenants

Availability

Uptime: Continuous uptime monitoring, with immediate escalation to Pay with Bolt staff for any downtime.

Failover: At any point in time, Pay with Bolt is running in an active: configuration in at least 2 data centers and supports real time failover of all components, with the exception of our database which is configured as active:standby  where a typical failover is completed automatically in under 2 minutes. .

Backup Frequency: Pay with Bolt supports point in time recovery to any point in the last 35 days. Full backups are created and stored on a daily basis during this period.

Network Security

Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and are subject to functional and security testing prior to deployment to active production systems.

Firewalls: Firewalls restrict access to all non-essential ports to operate the service.

Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.

Encryption in Transit: By default, our survey collectors have Transport Layer Security (TLS) enabled to encrypt respondent traffic. All other communications with the Pay with Bolt.com website are sent over SSL connections, which protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure and only available to intended recipients.

Vulnerability Management

Patching: Latest security patches are applied to all operating systems, applications and network infrastructure to mitigate exposure to vulnerabilities.

Third Party Scans: Our Approved Scanning Vendor for PCI compliance is Tenable Inc. (https://www.tenable.com). PCI external scans are performed weekly.

Organisational & Administrative Security

Information Security Policies: We maintain internal information security policies, including incident response plans, and regularly review and update them.

Employee Screening: We perform background screening on all employees, to the extent permitted by local laws, this may include police checks for developers who interact with our systems.

Training: We provide security and technology use training for employees.
Service Providers: We screen our service providers and contractually bind them to appropriate confidentiality and security obligations if they deal with any user data.

Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.

Audit Logging: We maintain and monitor audit logs on our services and systems.

Software Development Practices

Stack: We code in J2EE in Javascript and run on Oracle and various NoSQL databases.

Deployment: We deploy code on a regular bi-monthly basis and on an adhoc basis, giving us the ability to react quickly should a bug or vulnerability be discovered within our code.

Compliance and Certifications

PCI: Pay with Bolt is currently level PCI 1 compliant.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures that have to be followed by the organizations that process, store or transmit card data. The PCI Security Standards Council is governed by the five major payment card brands – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.

Handling of Security Breaches

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Pay with Bolt learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.

Your Responsibilities

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any survey data you download to your own computer away from prying eyes.

Dealing with requests for personal data

A customer who contacts us via one of our supported communication channels will have a ticket created in our support system. We will verify the identity of the customer before deleting or sending any information back to them in regards to personal data. We will only service requests for customers we have a direct relationship with. Customers or users of our service via a third party must direct their request via the third party to process.

In regards to a request to delete data we will do this in the following way only if this data does not pertain to the necessary running of our business. Data will be systematically deleted from Bolt, AgileCRM, Zendesk, and Chargebee on closure of the support ticket. If a contact subsequently signs up for a Pay with Bolt service new data will be then be held for that person.

For customers requesting exports of their data we will supply this in CSV format with 14 days of the support ticket creation and no later the 30 days after the initial request. Separate files for each system export will be provided, for example, if personal data is found in three of our systems we will export three CSV files and post these in the support ticket that will be emailed to the requester.

Updates to this policy

Please note, we are constantly reviewing how we process and protect data. Therefore, changes to our security policy may occur at any time. We will endeavour to publicise any changes. To the extent permitted under applicable law, by using our Services after such notice, you consent to our updates to this security policy. We encourage you to periodically review this security policy for the latest information on our security practices.