How do our Clients access the platform?
The Genus AI Platform uses short-lived login sessions and Genus AI authenticates by sending email to approved users avoiding client passwords that can lead to increased risks such as reduced strength, re-use on other systems, password storage, etc.
Describe the data and data types that will be required (that the Client is sending or acquiring)?
Genus Al will receive Client’s Customer information consisting of First Name, Last Name, Email Address, Postal Address and applicable purchasing and performance data such as number of orders, lifetime value, churn status, etc. Genus AI sends in return Genus Al Archetypes and custom scores appended to Client’s Customer records.
How is the data transferred between Client to Genus AI?
Data is uploaded to Genus Al via our secure online platform using a one-time log-in link shared with authorized Client users at https://platform.genus.ai/clients/login/
Where is Client’s Customer data hosted?
Genus AI hosts all Client’s Customer Data on Amazon Web Services (AWS), a highly scalable cloud computing platform with built in end-to-end security and privacy features.
1. How is Client’s Customer Data stored?
In an S3 bucket. Client’s Customer Data is separated from other clients.
2. Client specific schema?
Schema will be inferred from the CSV file or pre-defined and approved schema.
3. Table space?
No tablespaces used.
4. Is data encrypted at rest? If so, what standard?
Yes with AES256 via AWS-KMS.
5. Is data encrypted in motion? If so, what standard?
Yes with SSL.
6. Do you house any data internally? If so, what types of data?
Yes, we store other clients data in their dedicated spaces as well as third party data from our data vendors.
What sort of application security is in place?
All data in-transit is secured with TLS. All data at-rest in S3 buckets is stored with eleven nines of durability and encrypted with AES-256.
All data at-rest in EC2 machines is stored on encrypted storage devices. We utilize AWS Key Management Service to handle encryption key management and rotation.
All Genus AI web application communications are encrypted over 256 bit SSL, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.
Can Client Data be edited or removed from the Genus AI platform?
Yes. Client Data is removed automatically after 30 days and can be deleted at any time by logging into the platform. The data will always be destroyed after the client ceases work with Genus Al or, as per the timescale outlined on the Order Form.
· We remove the data from our AWS storage when you remove it from the Genus AI platform. The data will automatically be removed from the platform in 30 days.
· The data is destroyed once the matching, enrichment and/or leads selection is complete unless the client engages in ongoing enrichment and leads selection where storing the data is beneficial for providing these services, as per the timescale stipulated in the Order Form.
· We do have a short-term backup of client data, in case for recovery from errors, but it is the Client’s responsibility to download important data for safekeeping.
Can the data be exported if the Client decides to leave one day?
All Client Customer data can be accessed on our platform. It is possible to download and remove data at any time.
With Client’s Customer Personally Identifiable Information (PII) that is transferred to/from the Client or acquired by Genus AI on behalf of the Client or shared in any form, Genus AI can provide the following, if you require:
1. A communications path diagram, data flow and systems ID diagram.
2. Data Protection Controls: Written Information Security Policy, Changing or Adding Systems Policy and Incident Response Policy.
What policies has Genus Al implemented that relate to data?
Does Genus Al need to receive or accept credit card data?
Does Genus Al have a dedicated privacy & security officer?
Yes, Genus Al dedicated privacy & security officer is Dr. Tadas Jucikas. To reach the team please use our dedicated security email firstname.lastname@example.org.
Servers and Tools:
All Genus AI servers are inaccessible from the internet, except through a dedicated machine with hardened configuration and multiple layers of authentication. All unauthorized attempts to access this system are tracked in real time by automated systems.
1. AWS Infrastructure:
1. Multi-Factor Authentication (MFA) is enforced.
2. All infrastructure changes and data access is logged.
3. Logs are verified against tampering.
List all the programming languages and application frameworks used in Genus AI’s service:
· Python 3.6
· Django 2.x
List all the Security Products and tools used at Genus Al:
Genus AI utilizes automated threat detection systems, hardware multi-factor authentication tokens, automated compliance rules and password managers.
Are there any encryption algorithms and solutions in use to support data security at Genus Al?
Yes, Genus Al uses AWS Key Management Service: https://aws.amazon.com/kms/.
Does Genus AI have a policy that identifies and determines controls regarding the proper use of workstations to support access and protection of data?
All production data is in a VPC (virtual private cloud). Internal access is firewalled and users must be authenticated on the VPN and via multi-factor authentication to access anything.
Do you have a security policy to help ensure the confidentiality, integrity, and availability of data? Do you have a SOC2/3 report?
For documentation regarding how data is stored and protected when in use, and at rest, refer to the Genus AI Security Policy. For SOC2/3 reports, refer to: AWS Cloud Security
Does Genus AI have a security control policy (locked doors, surveillance cameras, alarms) to prevent theft of data?
For documentation regarding physical location security, facility maintenance, and access control, refer to this white paper: Amazon Web Services: Security Overview.
Do you have procedures for terminating access to systems containing data when a team member is no longer employed at Genus AI?
End of employment processes are in place. VPN access is disabled, AWS and administrator access keys are terminated, and all access to data is revoked. Upon termination, employees are required to destroy remaining local data and return hardware to Genus AI.
Have you taken steps to protect the organization from malicious software, including the application security patches?
Per internal IT policy, we only upgrade instances to stable release versions and apply all security patches when released. We test for malicious data uploads every time new data is uploaded to the platform.
Have passwords been implemented that are unique to a user and comply with best practice components including password length, complexity, and duration?
All Genus AI staff use strong unique random passwords, with two factor authentication used wherever provided. Hardware multi-factor authentication devices are implemented, issued one per staff member. Genus AI uses company-wide industry leading password manager and secure password vault . Genus AI regularly runs password manager security check to check for duplicate passwords, low strength passwords, etc
Staff are restricted to access only the minimum set of systems that they need access to, so only those who need to work with your data can see it. These practices allow us to monitor weak password use, manage password guidelines and log user activity.
Do you routinely conduct audits of your application, such as code reviews?
Yes. Code reviews and analysis are conducted by all engineers as a part of the development process. All employees who have access to the codebase have 2-Factor Authentication enforced on their accounts. All changes to infrastructure are done through code repository changes.
All code changes are reviewed by at least one other engineer. All code dependencies are updated monthly. All dependency updates are vetted individually andf any cause concern – the updates are deferred. All Genus AI packages code is unit and integration tested.
Do you routinely conduct audits of your application, such as penetration tests, or vulnerability scans?
Genus AI does application scans and penetration tests on a regular basis. Last penetration test was completed in January 2019.
Genus AI utilizes various services to keep track of all events within our AWS account. They include information about who and when accessed individual files on S3 buckets, launched services and ran commands on servers
Logs are validated against tampering. Network activity metadata is kept to keep track of all network events within our cloud network.
All Genus AI infrastructure is codified in CloudFormation templates and stored in a code repository that contains history about changes to infrastructure.
Genus AI captures as much logging information from across the infrastructure: system logs, authentication logs and service logs on instances.
The Genus AI team is constantly monitoring security notifications from all 3rd party software libraries and if identified, the team immediately applies any relevant security patches as soon as they are released. The Genus AI engineers work together with the product teams to ensure that all of Genus AI code and infrastructure follows a secure development lifecycle process.
Designed with redundancy, fault tolerance and disaster recovery at the forefront, our services are located in US East (data center) region. All infrastructure is within a virtual private cloud (VPC) with production access restricted to operations support staff only. This allows Genus AI to leverage firewall protection, private IP addresses and other security features.
For more specific details regarding AWS security, please refer to https://aws.amazon.com/security/
All data is stored on AWS infrastructure, housed in Amazon-controlled data centers. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. It is safe to say Amazon is much better at physical security than we are capable of being, so we leave it to them.
All Genus AI company laptops are managed through an Enterprise Mobility Management system monitoring and enforcing compliance requirements for:
- Disk Encryption – all company laptops have their disks encrypted;
- Password Policy – passwords are regularly rotated;
- Automated Updates – operating system updates are installed automatically.
Continuous monitoring and alerts are used for compliance to the above rules.
Engineering and Operational Practices
Genus AI designs all services with high availability in mind. The goal is to deliver 99.99% uptime for the Genus AI platform. In order to achieve this goal, a number of engineering best practices are followed including:
- Immutable infrastructure – changes to live code or running servers in production are not made. Where applicable, both our software and our infrastructure configuration are treated as code. Which means all changes go through a formal code review, automated testing and automated deployment process.
- Continuous integration and delivery – continuous integration and deployment automation and configuration management tools are used to build, test and deploy code multiple times a day.
- Incident response – the Genus AI engineering team is available to respond to any security or availability incidents under 2 hours during work hours, under 12 hours during non-work hours and under 24 hours during weekend and national holiday.
- Security audits – Every year Genus AI has an independent security firm execute a white-box penetration test audit across our system and code base. On request, the results of the latest audit can be provided to current or potential customers.
Genus AI utilizes automated compliance rules to automatically check that all AWS resources meet our security standards and send alerts if they not (see: Incident Response). Trusted Advisor is used to keep in line with AWS infrastructure best practices.