Data Security Policy
Updated on December 24, 2018
NewtonX’s internal policies define the guidelines for employees to operate the NewtonX platform and associated technologies, and serve to protect information assets. These policies include, but are not limited to, the following:
- Identification, Authentication, and Access Control
- Security Awareness
- Acceptable Use
- Risk Assessment
- Vulnerability Management
- Incident Response
The NewtonX security and senior management team reviews and approves policies intermittently —or when there is a significant change that impacts how controls or policies operate.
NewtonX stores two categories of data: structured and unstructured. Structured data—including our expert profiles, client profiles, and project information entered into the NewtonX platform—are stored within a Google Cloud SQL database. Unstructured data—including files uploaded by our clients or experts and recordings —are stored in Google Cloud Storage. We tag all client data, and backend logical access controls prevent one client from seeing the data of another client.NewtonX controls and restricts employee, client, and expert interaction with data via role-based access permissions that prevent users from accessing data without given permissions.
NewtonX tightly controls access to systems, proprietary platforms, and data by limiting access levels based on job responsibilities. Only NewtonX senior employees have access to the NewtonX platform and the data it holds. Our technology and security team reviews permissions on a quarterly basis to help ensure that access remains appropriate to active and authorized personnel. When an employee departs from NewtonX, our process dictates that we immediately revoke access to all systems.
The NewtonX Platform can integrate with clients’ various Single Sign-On (SSO) solutions via Security Assertion Markup Language (SAML), enabling streamlined management of client personnel who access the platform.
NewtonX configures the load balancers to support secure Transport Layer Security (TLS) connections between end-point devices and the NewtonX Platform to help ensure the secure transmission of information over public networks. We also encrypt all data stored on the Platform at rest, using advanced encryption standard (AES) 256-bit encryption.
Security vulnerabilities that threaten the confidentiality, integrity, and availability of data arise as a product of technological advances and changes to the NewtonX platform code. We continuously monitor for security vulnerabilities through methods including, but not limited to, subscriptions with our vendors and reputable researchers, as well as monthly vulnerability scanning of the Platform and underlying systems. We triage all vulnerabilities to determine impact and patch our systems according to criticality. The architecture of the Platform enables our engineering team to deploy security patches seamlessly without disrupting our clients’ experience.
Additionally, NewtonX regularly conducts internal penetration testing of our web applications and the underlying infrastructure to identify security vulnerabilities. Clients who wish to perform their own independent testing should contact their NewtonX Account Manager.
The NewtonX product and engineering teams participate in the agile Systems Development Life Cycle (SDLC). The NewtonX SLDC includes a number of controls to help ensure development efforts are well-designed and secure. Controls in place include, but are not limited to, robust inter-team testing, code reviews, and management approvals prior to implementing a change into the production environment. NewtonX also restricts the ability to implement changes in the production environment to a small number of authorized engineers and technologists.
NewtonX leverages Google Cloud’s distributed architecture, spreading its data footprint over multiple regions, and multiple zones within those regions. NewtonX uses a container-based architecture, which allows us to easily launch the NewtonX Platform infrastructure within another cloud provider, or from within our own hosted environment, if needed.
To help ensure that our controls are designed appropriately and operating effectively, NewtonX undergoes an annual SOC 2 examination from an independent third-party audit firm. Please contact your NewtonX Account Manager to request a copy of our most recent SOC 2 audit report.
At NewtonX, our clients’ and experts’ privacy is extremely important to us. NewtonX has designed privacy program to meet General Data Protection Regulation (GDPR) requirements, that you can find here. We are happy to sign data processing addendums and model clauses with our clients.
The NewtonX Platform is built on the Google Cloud Platform. As part of Google’s service offering, Google takes responsibility for physical and environmental security, availability, routing, switching and networking controls. Google data centers are equipped with state-of-the-art physical security controls including, but not limited to, multi-factor authentication (badge access card and biometric), strict role-based access, security guard monitoring, video surveillance systems, and access logging and monitoring. Google deploys environmental security controls within their data centers to ensure systems remain fully operational that include redundant generators, uninterruptible power supply (UPS) systems, cooling systems, and fire detection and suppression systems.
Google provides NewtonX with additional built-in protections that include, but are not limited to:
- Vulnerability management: Any Google software consumed by NewtonX automatically updates to most current version.
- Key management: NewtonX’s keys are stored in Google’s secure key management system (KMS).
- Traffic load increase protection: Google’s Autoscaler adds the appropriate resources to handle traffic spikes when required.
NewtonX may use third parties for the NewtonX Platform and Services. We employ a third-party supplier evaluation process that requires all service providers follow the appropriate administrative, technical, and physical safeguards to ensure our security policy is maintained. This includes the review of any third-party audit reporting, penetration testing, vulnerability scanning results, and more.