Keeping our customers' data secure is Buxton’s #1 priority. We take a multi-layered approach to information security that is known as “Defense in Depth.” Defense in Depth is a strategy that incorporates enterprise data protection best practices to ensure your information remains secure while in our environment. We want to ensure your data is treated with the utmost care from the time it leaves your facility to the delivery of your analysis. We also embrace and enforce a philosophy of “least privilege” throughout our ecosystem to ensure that information is accessible to essential Buxton team members only. Finally, Buxton will never resell or redistribute any information you have provided to a third party of any kind.
SOC II Compliance
Buxton has completed the System and Organization Controls (SOC) 2 Type II examination from the American Institute of Certified Professional Accountants (AICPA). The purpose of the examination is to demonstrate the controls Buxton has implemented to ensure the security of its system and the confidentiality of client data.
SOC 2 reports are independent, third-party examination reports that help clients to understand Buxton's controls. Firms that complete the SOC 2 audit have taken significant steps to create, document, implement and monitor processes required to maintain a high level of data security and confidentiality. The examination process covers critical factors such as risk management, system operations, change management, data monitoring, confidentiality and more.
To request a copy of Buxton's SOC 2 Type II report, please email email@example.com.
Our infrastructure and security team is both AWS and Information Security certified. Our Executive Security Committee (ESC) includes our Chief Financial Officer, Head of Information Technology, and Corporate Controller. Security is our highest priority and enforced from the very top of the organization.
Incident Response Plan
- We have implemented a formal procedure for security events and have educated all our employees on our various policies.
- When security events are detected, they are reviewed by key security team members and escalated to our Executive Security Committee (ESC) if warranted. If additional investigation or resolution is needed, our Incident Response Team is notified and assembled to rapidly address the event.
- After a security event is identified, addressed, and resolved, we conduct a post-mortem analysis.
- The analysis is reviewed with the ESC and distributed across the company. It includes action items that will make the detection and prevention of a similar event easier in the future.
- If communication with our clients regarding a particular event is necessary, we will reach out through approved channels (email, phone, etc.) within 72 hours in order to describe the event and actions needed to correct it.
Build Process Automation
- We have functioning and frequently used automation in place so that we can safely and reliably roll out changes to the Buxton Analytics Platform within minutes.
- We deploy code dozens of times a year. By doing so, we have high confidence that we can get any necessary fix out quickly.
- The majority of our services and data is hosted in Amazon Web Services (AWS) facilities located in the USA. We are in the process of consolidating all services and data within the AWS ecosystem. Buxton services have been built with disaster recovery, high availability, scalability, and reliability in mind.
- Our infrastructure is spread across multiple AWS availability zones and will continue to work should any one of those zones fail unexpectedly.
- All our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.
- Buxton uses a number of tested and proven AWS backup solutions for datastores.
We have uptime of 99% or higher. For additional details about these metrics, please contact our corporate office anytime.
- All data is stored within the United States of America.
- Customer information is stored and managed within its own Buxton designated, client specific database while being prepared for analysis. Strict privacy controls exist within our application to ensure data privacy and prevent one customer from accessing another customer’s information.
- We have several unit and quality assurance tests in place to ensure our application works as expected and data is rendered accordingly.
- Data retention policies are in place to ensure your data remains in our ecosystem for the least amount of time possible. Once your information is standardized, massaged, and further de-identified, the original data provided can be destroyed according to our data retention policy and a certificate of data destruction can be provided at your request.
- We recommend that all data be transferred using a provided SFTP channel and encrypted accordingly.
- Our application endpoints are TLS/SSL only.
- Buxton is served 100% over https. Buxton runs a zero-trust corporate network.
- We have two-factor authentication (2FA) and strong password policies for VPN access and the AWS Management Console to ensure that access to cloud services is protected.
Permissions and Admin Controls
Buxton enables permission levels to be set for each user within the Buxton Analytics Platform. This may include access to certain data elements or the ability to access certain features within the application.
- We use a variety of tools to monitor the health our entire ecosystem. Our ecosystem includes databases, distributed workers, load balancers, web servers and other mission critical hardware.
- All user access to the Buxton Analytics Platform is logged and reviewed as needed.
- All actions taken on production consoles or in the Buxton application are logged and tracked through an Enterprise Change Management System.
- We annually engage with well-regarded third-party auditors to audit our existing security and confidentiality controls and continue to work with them if any areas need additional controls or enhancements.
- We use technologies such as AWS Cloudtrail, Site24/7, and What’s Up Gold to provide an audit trail over our infrastructure and the Buxton Analytics Platform. Auditing allows us to do ad-hoc security analysis, track changes made to our setup, and audit access to every layer of our stack.
Reporting Suspicious Activity
If you suspect or witness a suspicious event within the Buxton Analytics Platform, please contact our office. Our phone number is (817) 332-3681 or you can reach our support team firstname.lastname@example.org.
Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.
- We will collect and use personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned as required by law.
- We will only retain personal information for the length of time necessary for the fulfillment of those purposes.
- We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.
- Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete and up-to-date.
- We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
- We will make readily available to customers information about our policies and practices relating to the management of personal information.
We are committed to conducting our business in accordance with these principles to ensure that the confidentiality of personal information is protected and maintained.
1. Collection and Use of Information When Submitting a Form on Our Website
We collect your information in the following situations and for the following uses:
- We collect your information, including email address when applicable, when you create an account with us or submit questions, queries or feedback via our website, app, email or social media. Data is collected and used to the extent required by our legitimate business interests to provide our services, communicate with you and provide customer support per your request.
- We collect your country and IP address, as it is necessary for our compliance with legal obligations to identify where our users are located in connection with EU tax laws.
- We collect your email address, when you have provided your consent, so you can receive our newsletters.
- We collect the information you post in our website chat forum, as it is in our legitimate interests to provide our services.
- We collect your information, including email address when applicable, when you inquire about our product via our website, app, email or social media. Data is collected and used to the extent required by our legitimate interests to provide our services, communicate with you and contact you about our product as per your request.
In addition to cookies that are strictly necessary to operate the website, we use the following cookies:
- Functional Cookies, which are set by the following third parties: Pardot and ExpressionEngine. These are used to enhance your experience on our website.
- Performance Cookies provided by the following third parties: Intercom, Pardot, Wistia, Hotjar, Lead Forensics and Google Analytics. These enable us to provide a better user experience based on how you use our website.
- Targeting or Advertising Cookies, which are set by us and the following third parties: Google AdWords, Bing Ads and LinkedIn. These tell us and those third parties about your browsing habits, so you can be provided with advertising that is more relevant to you.
- Social Media Cookies, which are set by the following third parties: Facebook, Twitter, Google+ and LinkedIn. These allow you to share what you've been doing on our website on social media.
If you do not accept the use of these cookies, please disable them by changing your browser settings so that cookies from our website cannot be placed on your computer or mobile device. These browser settings are typically found in the "Options" or "Preferences" menu of your browser; otherwise you should use the "Help" option in your browser for more details. If you only want to limit third party advertising cookies, you can turn such cookies off by visiting the following links: