Visor del documento
Nombre Último Cambio
Ironio (en) - Política de Privacidad y Puerto Seguro 11-feb-2016 | 100%
Cambio importante indicado
# Antigua Versión Nueva Versión
0 This Privacy Statement covers the information practices of http://iron.io .
1 Information Collected
2 Iron.io offers a variety of services that are collectively referred to as the “Services.” Iron.io collects information from individuals who visit the Company’s Web site (“Visitors”) and individuals who register to use the Services (“Customers”).
3 When expressing an interest in obtaining additional information about the Services or registering to use the Services, Iron.io requires you to provide the Company with personal contact information, such as name, company name, address, phone number, and email address (“Required Contact Information”).
4 When purchasing the Services, Iron.io requires you to provide the Company with financial qualification and billing information, such as billing name and address, and credit card number (“Billing Information”).
5 Iron.io may also ask you to provide additional information, such as industry, company revenues, or number of employees (“Optional Information”).
6 Required Contact Information, Billing Information, and Optional Information are referred to collectively as “Data About Iron.io Customers.”
7 As you navigate the Company’s Web site, Iron.io may also collect information through the use of commonly-used information-gathering tools, such as cookies and Web beacons (“Web Site Navigational Information”). Web Site Navigational Information includes standard information from your Web browser (such as browser type and browser language), your Internet Protocol (“IP”) address, and the actions you take on the Company’s Web site (such as the Web pages viewed and the links clicked).
8 Use of Information Collected
9 The Company uses Data About Iron.io Customers to perform the services requested.
10 For example, if you fill out a “Contact Me” Web form, the Company will use the information provided to contact you about your interest in the Services.
11 Iron.io uses Contact Information for account access, service notifications, and other purposes related to use of the Services.
12 Iron.io uses credit card information solely to check the financial qualifications of prospective Customers and to collect payment for the Services.
13 The Company may also use Data About Iron.io Customers for marketing purposes. For example, the Company may use information you provide to contact you to further discuss your interest in the Services and to send you information regarding the Company and its partners, such as information about promotions or events.
14 Iron.io uses Web Site Navigational Information to operate and improve the Company’s Web site. The Company may also use Web Site Navigational Information alone or in combination with Data About Iron.io Customers to provide personalized information about the Company.
15 Web Site Navigational Information
16 Iron.io uses commonly-used information-gathering tools, such as cookies and Web beacons, to collect information as you navigate the Company’s Web site (“Web Site Navigational Information”). This section describes the types of Web Site Navigational Information that may be collected on the Company’s Web site and how this information may be used.
17 4.1Cookies
18 Iron.io uses cookies to make interactions with the Company’s Web site easy and meaningful. When you visit the Company’s Web site, Iron.io’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you. They merely recognize your Web browser. Unless you choose to identify yourself to Iron.io, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Me” or other Web forms that may be displayed), you remain anonymous to the Company. Iron.io uses cookies that are session-based and persistent-based. Session cookies exist only during one session. They disappear from your computer when you close your browser software or turn off your computer. Persistent cookies remain on your computer after you close your browser or turn off your computer.
19 If you have chosen to identify yourself to Iron.io, the Company uses session cookies containing encrypted information to allow the Company to uniquely identify you. Each time you log into the Services, a session cookie containing an encrypted, unique identifier that is tied to your account is placed your browser. These session cookies allow the Company to uniquely identify you when you are logged into the Services and to process your online transactions and requests. Session cookies are required to use the Services.
20 Iron.io uses persistent cookies that only the Company can read and use to identify browsers that have previously visited the Company’s Web site. When you purchase the Services or provide the Company with personal information, a unique identifier is assigned you. This unique identifier is associated with a persistent cookie that the Company places on your Web browser. The Company is especially careful about the security and confidentiality of the information stored in persistent cookies. For example, the Company does not store account numbers or passwords in persistent cookies. If you disable your Web browser’s ability to accept cookies, you will be able to navigate the Company’s Web site, but you will not be able to successfully use the Services.
21 Iron.io may use information from session and persistent cookies in combination with Data About Iron.io Customers to provide you with information about the Company and the Services.
22 4.2Web Beacons
23 Iron.io uses Web beacons alone or in conjunction with cookies to compile information about Customers and Visitors’ usage of the Company’s Web site and interaction with emails from the Company. Web beacons are clear electronic images that can recognize certain types of information on your computer, such as cookies, when you viewed a particular Web site tied to the Web beacon, and a description of a Web site tied to the Web beacon. For example, Iron.io may place Web beacons in marketing emails that notify the Company when you click on a link in the email that directs you to one of the Company’s Web site. Iron.io uses Web beacons to operate and improve the Company’s Web site and email communications.
24 Iron.io may use information from Web beacons in combination with Data About Iron.io Customers to provide you with information about the Company and the Services.
25 4.3IP Addresses
26 When you visit Iron.io’s Web site, the Company collects your Internet Protocol (“IP”) addresses to track and aggregate non-personal information. For example, Iron.io uses IP addresses to monitor the regions from which Customers and Visitors navigate the Company’s Web site.
27 4.4Third Party Cookies
28 From time-to-time, Iron.io engages third parties to track and analyze usage and volume statistical information from individuals who visit the Company’s Web site. Iron.io may also use other third-party cookies to track the performance of Company advertisements. The information provided to third parties does not include personal information, but this information may be re-associated with personal information after the Company receives it.
29 Iron.io may also contract with third-party advertising networks that collect IP addresses and other Web Site Navigational Information on the Company’s Web site and emails and on third-party Web sites. Ad networks follow your online activities over time by collecting Web Site Navigational Information through automated means, including through the use of cookies. They use this information to provide advertisements about products and services tailored to your interests. You may see these advertisements on other Web sites. This process also helps us manage and track the effectiveness of our marketing efforts. To learn more about these and other advertising networks and their opt-out instructions, click here.
30 Public Forums, Refer a Friend, and Customer Testimonials
31 Iron.io may provide bulletin boards, blogs, or chat rooms on the Company’s Web site directly or via third-party services. Any personal information you choose to submit in such a forum may be read, collected, or used by others who visit these forums, and may be used to send you unsolicited messages. Iron.io is not responsible for the personal information you choose to submit in these forums.
32 Customers and Visitors may elect to use the Company’s referral program to inform friends about the Company’s Web site. When using the referral program, the Company requests the friend’s name and email address. Iron.io will automatically send the friend a one-time email inviting him or her to visit the Company’s Web site. Iron.io does not store this information.
33 Iron.io may post a list of Customers and testimonials on the Company’s Web site that contain information such as Customer names and titles. Iron.io obtains the consent of each Customer prior to posting any information on such a list or posting testimonials.
34 Sharing of Information Collected
35 Iron.io may share Data About Iron.io Customers with the Company’s service providers so that these service providers can contact Customers and Visitors who have provided contact information on our behalf. Iron.io may also share Data About Iron.io Customers with the Company’s service providers to ensure the quality of information provided. Unless described in this privacy statement, Iron.io does not share, sell, rent, or trade any information provided with third parties for their promotional purposes.
36 From time to time, Iron.io may partner with other companies to jointly offer products or services. If you purchase or specifically express interest in a jointly-offered product or service from Iron.io, the Company may share Data About Iron.io Customers collected in connection with your purchase or expression of interest with our joint promotion partner(s). Iron.io does not control our business partners’ use of the Data About Iron.io Customers we collect, and their use of the information will be in accordance with their own privacy policies. If you do not wish for your information to be shared in this manner, you may opt not to purchase or specifically express interest in a jointly offered product or service.
37 Iron.io uses a third-party service provider to manage credit card processing. This service provider is not permitted to store, retain, or use Billing Information except for the sole purpose of credit card processing on the Company’s behalf.
38 Iron.io reserves the right to use or disclose information provided if required by law or if the Company reasonably believes that use or disclosure is necessary to protect the Company’s rights and/or to comply with a judicial proceeding, court order, or legal process. Privacy Policy
39 Last Updated: March 12, 2015
40 Iron.io Overview
41 Iron.io provides cloud-based infrastructure services for message queuing and task processing. The services are used by organizations throughout the world to scale out workloads and create distributed and more fault-tolerant applications. Iron.io routinely audits and manages the security of its services and applies security best practices so customers can focus on building and scaling their applications.
42 Iron.io applies security controls at every layer of the system architecture including physical and service layer and interfaces. Iron.io also isolates customer message persistence and task environments and rapidly deploys security updates within its systems as necessary without customer interaction or service interruption.
43 In addition, the Iron.io platform is designed for stability, scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities.
44 For security inquiries, please contact legal@iron.io or contact us via our support channel.
45 Security Assessments and Compliance
46 Data Centers
47 Iron.io’s physical infrastructure is hosted and managed within Amazon and Rackspace secure datacenters, and utilizes service components and technologies within these datacenters for security protections at multiple layers and against multiple threat vectors. Amazon and Rackspace continually manage risk and undergo recurring assessments to ensure compliance with industry standards.
48 Amazon’s data center operations have been accredited under:
49 ISO 27001
50 SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
51 PCI Level 1
52 FISMA Moderate
53 Sarbanes-Oxley (SOX)
54 PCI
55 Rackspace’s datacenter operations have been accredited under:
56 ISO 27001
57 ISO 27002
58 SOC 1, SOC 2, SOC 3/SSAE16 Type II
59 PCI Level 1
60 SAFE HARBOR
61 CONTENT PROTECTION AND SECURITY STANDARD (CPS)
62 PCI Compliance
63 Iron.io uses PCI-compliant cloud infrastructure providers AWS and Rackspace. These data center operations are PCI Service Provider Level 1 compliant. This is the most stringent level of certification available.
64 Iron.io uses PCI-compliant payment processor Stripe for encrypting and processing credit card payments. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.
65 Data Center Security
66 Physical Security
67 Iron.io utilizes ISO 27001 and FISMA certified data centers managed by Amazon and Rackspace. Amazon and Rackspace have many years of experience in designing, constructing, and operating large-scale data centers. Data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. AWS authorized staff must pass two-factor authentication no fewer than three times to access data center floors. Rackspace makes use of keycard protocols and biometric scanning protocols and employs simply access restrictions. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
68 Amazon and Rackspace only provides data center access and information to employees who have a legitimate business need for such privileges. Every data center employee undergoes multiple and thorough background security checks before hire. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee. All physical and electronic access to data centers by employees is logged and audited routinely.
69 For additional information see:
70 https://aws.amazon.com/security
71 http://www.rackspace.com/about/datacenters/
72 Fire Detection and Suppression
73 Advanced automatic fire detection and suppression equipment has been installed in the data centers to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
74 Power
75 The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Rackspace denotes N+1 redundant UPS power subsystem, with instantaneous failover if the primary UPS fails. Data centers use on-site generators to provide backup power for the entire facility.
76 Climate and Temperature Control
77 Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels. Rackspace records the employment of N+1 redundant HVAC system, ensuring duplicate system immediately comes online should there be an HVAC system failure and circulates and filtered air every 90 seconds to remove dust and contaminants.
78 Data Center Management
79 Data center staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
80 For additional information see:
81 https://aws.amazon.com/security
82 http://www.rackspace.com/about/datacenters/
83 Network Security
84 Firewalls
85 Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
86 Host-based firewalls restrict customer tasks from establishing localhost connections over the loopback network interface to further isolate customer tasks. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.
87 DDoS Mitigation
88 Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
89 Spoofing and Sniffing Protections
90 Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Iron.io utilizes application and task isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
91 Port Scanning
92 Port scanning is prohibited and every reported instance is investigated by our infrastructure providers. When port scans are detected, they are stopped and access is blocked.
93 Data Security
94 Data in Transit
95 Iron.io uses SSL to secure data in transit and and OAuth tokens for account authorization. During the SSL/TLS handshake, the client and Iron.io service negotiate encryption keys and certificates with each other before any application data is exchanged. This ensures encrypted data sent by the client can only be decrypted by the service, and vice versa. SSL certificates are updated on a regular basis or in the event of a security advisory from external security centers. OAuth provides secure and unique identity tokens that can be revoked and regenerated by the user without compromising user identity.
96 Data at Rest
97 Message data and task payloads are replicated across two or more zones. Data storage components inherit the security measures described in this document including strict physical data center and system security and network isolation. Messages and payloads can be encrypted for additional security of data at rest. Messages within dedicated clusters within the message persistence layer are isolated and segmented from public clusters. Limited data retention policies can be employed to further reduce availability of data within the system.
98 Worker Tasks
99 Each task running within the IronWorker system runs within its own isolated environment and cannot interact with other tasks or areas of the system. This restrictive operating environment isolates security and stability issues at the task level. These self-contained Docker environments use LXC containers to isolate processes, memory, and the file system while host-based firewalls restrict applications from establishing local and inbound network connections.
100 For additional technical information on IronWorker’s secure container environment see: http://blog.iron.io/2014/04/how-docker-helped-us-achieve-near.html
101 Hardware Decommissioning/Data Scrubbing
102 Decommissioning hardware is managed by our infrastructure providers using a process designed to prevent customer data exposure. AWS uses techniques outlined in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
103 For additional information see: https://aws.amazon.com/security
104 System Security
105 System Configuration
106 Iron.io maintains separate environments for the component of its systems including the main website, HUD/dashboard, dev center, client libraries, and core services. The core services are further separated into specific components. Iron.io uses continuous integration practices and maintains test, staging and production environments for all its systems.
107 System configuration and consistency is maintained through standard, up-to-date images, configuration management software, and by replacing systems with updated deployments. Systems are deployed using the most current images which are routinely updated with configuration changes and security updates and run through a suite of pre-production tests before deployment. Virtual instances no longer in service are reset by our infrastructure providers so that data is never unintentionally exposed. This process includes resetting every block of storage used by the system and scrubbing (setting to zero) memory.
108 System Configuration
109 System access is limited to Iron.io staff and requires ssh keys for identifying trusted computers along with usernames and passwords. Furthermore, operating systems running within AWS do not allow password authentication to prevent password brute force attacks, theft, and sharing.
110 Vulnerability Management
111 Our vulnerability management process is designed to remediate risks without customer interaction or impact. Iron.io is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to Iron.io’s environment, ranked based on risk, and assigned to the appropriate team for resolution.
112 Iron.io deploys images to cloud servers and uses configuration management tools to create, scan, and validate these images. Run-time access to OS and system-level functions is restricted from outside access and no outside files or programs can run or be stored outside of the LXC containers that are used within IronWorker. New systems are deployed with the latest updates, security fixes, and platform configurations and can be put into production as soon as they pass all functional, load, pre-production, and system tests. Existing systems can be decommissioned on the fly and replaced with new systems with no interruption of service. This process allows Iron.io to respond quickly and keep the service operating environments up-to-date.
113 Iron.io runs penetration test against system API interfaces as part of the continual test suite that runs every four hours. These tests validate API access and ensures authorization works as specified. System tests using commercial grade penetration testing software are run as part of the functional tests that run prior to deploying any new images for Iron.io components.
114 Iron.io Application Security
115 System components undergo penetration tests, vulnerability assessments, and source code reviews to assess the security of our application interface, architecture, and services layers. Iron.io engages with third-party security advisers and consultants to review the security of the Iron.io services and application layers and apply best practices.
116 Data and System Redundancy and Backup
117 All databases containing system and customer data are fully redundant within two or more zones as well as fully backed up on a daily basis to secure, access-controlled, and redundant storage facilities. System binaries and images and other service components are also individually backed up in the same manner and to the same degree. Each system component or image can be restored from backups as may be necessary.
118 In addition and in advance of standard backup practices referenced above, Iron.io’s system infrastructure scales and provides fault tolerant by automatically taking failed instances off-line and replacing them with new instances. Our data persistence layer will switch between redundant fully current databases without loss or disruption of messages or tasks in the event of a node or zone failure.
119 Disaster Recovery
120 Iron.io Platform
121 Iron.io maintains redundancy within each component and each layer to prevent single points of failure. Iron.io utilizes multiple zones for all system components, persists and replicates data across zones, and offers services in multiple data centers including automatic DNS failover for added geographic resilency. The IronMQ platform is deployed across multiple data centers all running the most current system images and in the event of replicated system/data loss, can make use of system and data backups.
122 Customer Messages, Tasks, and Task Payloads
123 Our platform automatically switches to additional servers and datastores within the same zone or within other zones in the case of an outage. The Iron.io platform is designed to dynamically route requests within the system, monitor for failures, take failed components offline, and swap in new components without service disruption.
124 Customer Data Retention and Destruction
125 Customer messages that have been deleted and task payloads that have been processed are retained within the system for no greater than 30 days. After the retention period, this data is purged from the system and is not available or accessible to customers or Iron.io staff. Custom data retention policies can be put in place under certain plans so as to reduce the duration of retention.
126 Service Incident Reviews
127 Iron.io reviews system and service incidents immediately after incidents to understand the root cause, impact to customers, and improve the platform and processes. We keep an internal wiki with a log of all previous service incidents and their fixes so that we can be sure to solve the issue quickly should it arise again. Finding the root cause of these incidents is of utmost importance to Iron.io and we always strive to release a fix as soon as possible.
128 Privacy
129 Privacy Policy
130 Iron.io has a published privacy policy that clearly defines what data is collected and how it is used. We takes steps to protect the privacy of our customers and protect data stored within the platform. Some of the protections inherent to Iron.io services include authentication, access controls, data transport encryption, HTTPS API protocols, and the ability for customers to encrypt messages and task playloads.
131 For additional information see: http://www.iron.io/privacy
132 Access to Customer Data
133 Iron.io cannot access any messages or task payloads that have been encrypted at the client level. Customer data is access controlled and all access by Iron.io staff is accompanied by customer approval and recorded for audit purposes.
134 Employee Screening and Policies
135 As a condition of employment all Iron.io employees undergo pre-employment background checks and agree to company policies including security, privacy, and acceptable use policies.
136 Security Staff
137 Our security team is lead by the Information Security officer (ISO) and includes staff responsible for application and information security. The security team works closely with engineering, operations, support, and other teams to address risk and implement appropriate security, privacy, and disaster recovery measures.
138 Customer Best Practices
139 Encrypt Data in Transit
140 Enable HTTPS for applications and SSL database connections to protect sensitive data transmitted to and from applications.
141 Encrypt Data at Rest
142 Customers with sensitive data can encrypt messages and task payloads to meet their data security requirements. Data encryption can be deployed within clients sending and receiving messages and task payloads using industry standard encryption and the best practices for your language or framework.
143 Limit Data Retention
144 Message queuing and task processing have limited durations and so where possible, you should limit data retention within the Iron.io system to only those data durations needed to accomplish the work.
145 Maintain Secure Account Access
146 To prevent unauthorized account access use a strong passphrase for your Iron.io user account and make use of Iron.io’s role-based access control (RBAC) model to invite share projects rather than sharing user accounts. Iron.io provides numerous ways for users to protect their tokens and actively supports and encourages the use of config files or environment variables throughout our platform. Tokens and project ids should be distributed to the team but not displayed publicly or in version control systems. Due to the token based system, it is easy to replace keys if lost or disclosed, and users are encouraged to rotate tokens at regular intervals.
147 Use Elastic IP Addresses and Authenticate Inbound Traffic
148 Elastic IP ranges are availble within certain plans and can and should be used within tasks running on the IronWorker platform to secure and isolate interactions between IronWorker and client applications. We furthermore recommend customers encrypt data being transmitted from Iron.io services as well as authentic incoming requests from workers running on the Iron.io platform.
149 For more information on these topics, see http://dev.iron.io/worker/reference/security/
150 Make Use of Logging
151 Logging can be critical for troubleshooting and investigating issues. Iron.io provides logging support within IronWorker including native logs as well as access gateways for real-time third party logging via syslog output from the IronWorker platform. Sensitive data should not be logged, however, as that introduces another data storage source with separate data retention durations.
152 For additional technical information on logging, see: http://dev.iron.io/worker/#inspect
153 Extend Practices to Third-Party Solutions
154 Tasks running within IronWorker may choose to use third party services for added functionality such as Amazon’s S3, an email service provider such as SendGrid, Mandrill, or Mailgun, or other service providers. Be mindful of the access methods and data shared with these providers and their security practices as you would be with Iron.io. Where possible, use separate credentials within the IronWorker platform for accessing external systems.
155 For more information, see http://dev.iron.io/worker/reference/security/