What data points does Movere collect and analyze?
Unified Logic does not collect payment related data and no Information is collected directly from individuals.
Detail the lifecycle of the data collected and processed by Movere.
All data is collected by the Movere Console. All resulting output files are encrypted in memory using PGP. All private/public keys are unique to each customer. Before uploading to the cloud, output files are also zipped for further size reduction. When the user authenticates, a token is downloaded and added to each zip file as a header. Only then can the file be uploaded via secure channel (HTTPS) to the Azure cloud for processing.
Upon reaching the cloud each output file is handled by a FileTransfer API. Each output file gets decompressed, decrypted then pushed into the database belonging to the customer performing the scan and upload. No two customers share the same database. For the database, the data is also extracted onto a secondary database for reporting, then into Qlik which stores it in memory for the user to access to via the website.
All data is stored in the cloud. Data retention varies depending on length of the subscription.
What cryptographic technologies used to protect data (e.g. database, server, backups, applications, web services, etc.)?
- For passwords we use ASP.NET encryption (see PBKDF2)
- For PGP we use RSA 2048
- For tool credential encryption we use SHA 256
- For database/server see Azure SOC reports
What mechanisms are used to secure data at rest, data in transit, and data in use?
- Data at rest is secured using PGP encryption
- Data in transit is secured using PGP + SSL (HTTPS) transmission
- Data in use is secured using Qlik proxies, which also use SSL (HTTPS)
Describe the database characteristics of your product. Is data replication required across multiple databases? How is high availability achieved?
We use n+1 architecture in all our database instances. In addition we use in-memory data stores such as Qlik and Redis Cache for which Azure provides clustering (2 shards minimum are used).
Describe your Software Development Lifecycle (SDLC) including developers access to Production data or applications, version control tools used, promotion from Development to Production, etc.
Developers do not have access to production. When a new version is ready to be released it is first pushed into testing. Once testing has been completed, the deployment into production is conducted automatically using TFS.
When transporting backup media to a remote storage location, is transportation performed by authorized personnel or a courier service and is care taken to safeguard electronic media from loss, damage or destruction from both human and environmental threats?
There is no remote storage of the data collected by Movere. All data captured is stored in its original encrypted formatted within the same Azure environment Movere resides in. Even in the event of complete loss of the database and backups (very unlikely) we can recreate the database using the original files uploaded to Movere.