Keeping our customers' data secure is Buxton’s #1 priority. We take a multi-layered approach to information security that is known as “Defense in Depth.” Defense in Depth is a strategy that incorporates enterprise data protection best practices to ensure your information remains secure while in our environment. We want to ensure your data is treated with the utmost care from the time it leaves your facility to the delivery of your analysis. We also embrace and enforce a philosophy of “least privilege” throughout our ecosystem to ensure that information is accessible to essential Buxton team members only. Finally, Buxton will never resell or redistribute any information you have provided to a third party of any kind.
SOC II Compliance
Buxton has completed the System and Organization Controls (SOC) 2 Type II examination from the American Institute of Certified Professional Accountants (AICPA). The purpose of the examination is to demonstrate the controls Buxton has implemented to ensure the security of its system and the confidentiality of client data.
SOC 2 reports are independent, third-party examination reports that help clients to understand Buxton's controls. Firms that complete the SOC 2 audit have taken significant steps to create, document, implement and monitor processes required to maintain a high level of data security and confidentiality. The examination process covers critical factors such as risk management, system operations, change management, data monitoring, confidentiality and more.
To request a copy of Buxton's SOC 2 Type II report, please email email@example.com.
Our infrastructure and security team is both AWS and Information Security certified. Our Executive Security Committee (ESC) includes our Chief Financial Officer, Head of Information Technology, and Corporate Controller. Security is our highest priority and enforced from the very top of the organization.
Incident Response Plan
- We have implemented a formal procedure for security events and have educated all our employees on our various policies.
- When security events are detected, they are reviewed by key security team members and escalated to our Executive Security Committee (ESC) if warranted. If additional investigation or resolution is needed, our Incident Response Team is notified and assembled to rapidly address the event.
- After a security event is identified, addressed, and resolved, we conduct a post-mortem analysis.
- The analysis is reviewed with the ESC and distributed across the company. It includes action items that will make the detection and prevention of a similar event easier in the future.
- If communication with our clients regarding a particular event is necessary, we will reach out through approved channels (email, phone, etc.) within 72 hours in order to describe the event and actions needed to correct it.
Build Process Automation
- We have functioning and frequently used automation in place so that we can safely and reliably roll out changes to the Buxton Analytics Platform within minutes.
- We deploy code dozens of times a year. By doing so, we have high confidence that we can get any necessary fix out quickly.
- The majority of our services and data is hosted in Amazon Web Services (AWS) facilities located in the USA. We are in the process of consolidating all services and data within the AWS ecosystem. Buxton services have been built with disaster recovery, high availability, scalability, and reliability in mind.
- Our infrastructure is spread across multiple AWS availability zones and will continue to work should any one of those zones fail unexpectedly.
- All our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.
- Buxton uses a number of tested and proven AWS backup solutions for datastores.
We have uptime of 99% or higher. For additional details about these metrics, please contact our corporate office anytime.
- All data is stored within the United States of America.
- Customer information is stored and managed within its own Buxton designated, client specific database while being prepared for analysis. Strict privacy controls exist within our application to ensure data privacy and prevent one customer from accessing another customer’s information.
- We have several unit and quality assurance tests in place to ensure our application works as expected and data is rendered accordingly.
- Data retention policies are in place to ensure your data remains in our ecosystem for the least amount of time possible. Once your information is standardized, massaged, and further de-identified, the original data provided can be destroyed according to our data retention policy and a certificate of data destruction can be provided at your request.
- We recommend that all data be transferred using a provided SFTP channel and encrypted accordingly.
- Our application endpoints are TLS/SSL only.
- Buxton is served 100% over https. Buxton runs a zero-trust corporate network.
- We have two-factor authentication (2FA) and strong password policies for VPN access and the AWS Management Console to ensure that access to cloud services is protected.
Permissions and Admin Controls
Buxton enables permission levels to be set for each user within the Buxton Analytics Platform. This may include access to certain data elements or the ability to access certain features within the application.
- We use a variety of tools to monitor the health our entire ecosystem. Our ecosystem includes databases, distributed workers, load balancers, web servers and other mission critical hardware.
- All user access to the Buxton Analytics Platform is logged and reviewed as needed.
- All actions taken on production consoles or in the Buxton application are logged and tracked through an Enterprise Change Management System.
- We annually engage with well-regarded third-party auditors to audit our existing security and confidentiality controls and continue to work with them if any areas need additional controls or enhancements.
- We use technologies such as AWS Cloudtrail, Site24/7, and What’s Up Gold to provide an audit trail over our infrastructure and the Buxton Analytics Platform. Auditing allows us to do ad-hoc security analysis, track changes made to our setup, and audit access to every layer of our stack.
Reporting Suspicious Activity
If you suspect or witness a suspicious event within the Buxton Analytics Platform, please contact our office. Our phone number is (817) 332-3681 or you can reach our support team firstname.lastname@example.org.