EthOS, a Panel Consulting Group LLC company, uses Google Cloud for our computing infrastructure. Google has a full set of compliance offerings, like ISO/IEC 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, and FedRAMP certifications, and alignment with HIPAA, GDPR, and CCPA, among others, available in their compliance resource center. For more detail on Google Cloud please refer to https://cloud.google.com/security.
Physical and Environmental Security
EthOS employees do not have physical access of any kind to our production facilities, as all of our infrastructure is in Google cloud.
- Google’s data centers are state of the art, utilizing innovative architectural and engineering approaches. They have many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to their platforms and infrastructure. Google data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Google only provides data center access and information to employees and contractors who have a legitimate
business need for such privileges. When an employee no longer has a business need for these privileges, his or
her access is immediately revoked, even if they continue to be an employee of Google. All physical access to
data centers by Google employees is logged and audited routinely.
For additional information see: https://cloud.google.com/security.
Our production environment is completely separate from the other environments, including staging and development.
Our servers are built using repeatable build processes and we keep all source code files within private GitHub repository’s http://github.com.
Systems are in place to ban IPs that show the signs of malicious activity. All server log files are curated and stored in a central location, this allows our operations team to search and monitor our logs for unusual events.
We actively scan our website for the OWASP Top 10 Web Application Security Risks and other known security holes.
Our application interfaces all leverage and require SSL throughout. By using encryption, we minimize the chances of someone possibly intercepting username/password combinations and/or other sensitive information. All data (other than passwords and authentication strings) is stored in plain text.
Data Storage & Retention Policies
Our databases are backed up on a nightly basis. In addition to our usage of this data in production we also occasionally take a copy of the data and load it in our testing environments.
Incident Management Policies
We plan on always notifying our customers of security incidents as soon as it is safe and prudent to do so, and will share any relevant information to allow our customers to take the necessary actions.
EthOS will never share participant data with anyone other than the commissioning client. EthOS employees do not access customer data as part of normal operations; however, they may need to when providing support at the request of the customer or when required to do so by law.