Plio Security – frequently asked questions

Data Security

1. How do you encrypt data at rest?

Data at rest is encrypted using the encryption-at-rest features of the MongoDB database.

2. How do you encrypt data in transmission?

SSL encryption is enabled for Plio for data in transmission, using Let’s Encrypt SSL encryption.

3. Is your data stored on your premises or hosted by a 3rd party?

Data is stored on servers provided by Rackspace Inc.

4. Do you destroy or return data to your customers at the completion of your services?

Prior to closing a Plio account, we allow customers to download their data. We also retain any data held in a closed account for a 60 day period, after which the data is destroyed.

Do you store or transfer customer data outside of the U.S.? If so, please specify.

No. All data is currently stored on US-based servers.

6. Describe your data backup strategy and schedules

Backup is carried out on a daily schedule.

7. Do you segregate information in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure?

Yes.

8. Do you allow use of removable media?

No.

9. Do you have password policies in place? Please describe requirements, including length and complexity.

Yes.  Passwords are required to be a minimum complexity, and to be changed every 3 months.

Physical Security

1. How do you control access to your facilities? Do you have physical restrictions in place and keep a log of visitors?

All facilities used (Amazon AWS, Rackspace) are certified to ISO 27001. Certificates available on request.

2. How do you restrict access to any areas within your facilities where customer information is stored?

All facilities used (Amazon AWS, Rackspace) are certified to ISO 27001. Certificates available on request.

Disaster Recovery

1. Do you maintain a Disaster Recovery Plan?

Yes.

2. Do you perform Disaster Recovery tests?

Yes.

Regulatory Compliance

1. Do you comply with the new EU General Data Protection Regulation (EU GDPR)?

From May 2018, the EU GDPR will affect organizations that processes EU residents’ personally identifiable information.

Plio Ltd is a business organization registered in and resident in the United Kingdom. Following the Brexit referendum it is uncertain when, if at all, the EU GDPR will apply to UK resident organizations.

2. Do you comply with US regulations governing the protection of personally identifiable information (PII)?

Unlike other jurisdictions, the US does not have a dedicated data protection law, but instead regulates primarily by industry, on a sector-by-sector basis.