Privacy & Security

Coconut Software’s security is designed to protect both, your enterprise and your customers’ information. We understand the security needs surrounding SaaS applications and have implemented specific measures to monitor and protect your data. We adhere to industry-leading standards to manage our network, secure our web and client applications, and set strict policies across our organization.

Frequently Asked Questions

 

Below we’ve included ten of the most common data privacy and security questions we hear. If you have any additional questions or concerns about our security practices, please feel free to reach out to our Privacy Manager.

 

 

How is your data encrypted? Are records in the database encrypted?

All data is encrypted in transit, and at rest. Database encryption is done via Amazon RDS and uses AES-256.

Staff workstation encryption is done via Filevault on macOS and Bitlocker on Windows 10 devices.

AWS IAM is used to manage keys for encrypting data at rest. Only select senior staff have access to production environments and keys.

 

 

Where will our data be hosted?

All data is stored in the data centers according to the location of the headquarters of the organization (i.e. data from users from US organizations is stored in an US data center, and data from users from Canadian organizations is stored in a Canadian data center).

All Coconut application and client data is backed up to Amazon Simple Service Storage (S3), and is replicated across multiple Availability Zones. Backups are tested quarterly for usability.

Please see https://aws.amazon.com/compliance/ for SSAE 16, SOC 1, SOC 2, OWASP, or PIPEDA report for hosted services.

Please see https://aws.amazon.com/security/ for security details related to application hosting environment.

In addition to data center security and network security, AWS data centers provide exceptional operational security and has several certifications that its customers can leverage. Some of them include SOC 1, SOC 2, SOC 3 and ISO 27001. For more details on AWS Compliance, please visit: https://aws.amazon.com/compliance/.

 

 

What monitoring is in place? How do you monitor for file integrity? Intrusion detection, etc?

Coconut uses Threat Stack for intrusion detection, vulnerability monitoring, configuration monitoring, and file integrity monitoring.

Coconut uses New Relic for availability and response time monitoring.

Coconut uses Bugsnag for error logging and monitoring.

Remediation plans are in place for emergency, high, and medium rated issues as they arise.

 

 

How frequently are backups done?

We run full nightly backups and incremental back-ups every five minutes. Backups are tested quarterly for usability.

All Coconut application and client data is backed up to Amazon Simple Service Storage (S3), and is replicated across multiple Availability Zones.

 

 

Are you compliant with SOC 2?

Coconut Software is SOC 2 compliant.

In addition to data center security and network security, AWS data centers provide exceptional operational security and has several certifications that its customers can leverage. Some of them include SOC 1, SOC 2, SOC 3 and ISO 27001. For more details on AWS Compliance, please visit:https://aws.amazon.com/compliance/.

 

 

What checks are done on new employees? Are they required to sign NDAs?

All Coconut Employees must pass a standard criminal record check prior to employment. They must also sign non-disclosure agreements prior to employment and receiving any proprietary and/or sensitive data. All new staff are shown a privacy and security video as part of the onboarding and training process.

Coconut has monthly privacy and security meetings to review policies and best practices. Coconut holds yearly, mandatory privacy and security training sessions for all staff each August.

In the event of employee security infractions, we enforce a graduated discipline policy.

 

 

Is production data used in test environments?

The Coconut application maintains separate environments for production, development, and demonstration purposes, all hosted on AWS. No live client data is used for testing or demonstration purposes.

 

 

Do you use cookies? If so, what data is used?

The only cookies we use are session cookies, with a short-life that doesn’t contain any personal info. For authenticated users, we use authentication cookie that is completely encrypted.

 

 

What are your incident response procedures?

Detailed incident response plans have been prepared to ensure proper protection of data in an emergency. For more details, please refer to the section above on monitoring procedures.

 

 

What can we expect in the case of a data breach?

There have been no security breaches in the last 7 years. In the event of the unexpected though, all breach notifications will be handled according to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA, 2000), as amended by the Digital Privacy Act (DPA, 2015). For European Union clients, all breach notifications will be handled according to the EU’s General Data Protection Regulation Act (GDPR, 2018).

 

For more information, please visit Coconut Software’s Privacy Notice & Terms of Use.