Security Measures

Passport considers the protection of the data it receives from its users and processes (“User Data”) a top priority. As further described in these Security Measures, Passport uses commercially reasonable organizational and technical measures designed to prevent unauthorized access, use, alteration or disclosure of User Data stored on systems under Passport’s control.

  1. Access to User Data. Passport limits its personnel’s access to User Data as follows:
    1. Requires unique user access authorization through secure logins and passwords, including multi-factor authentication for administrator access.
    2. Limits the User Data available to Passport personnel on a “need to know” basis.
    3. Restricts access to Passport ‘s production environment by Passport personnel on the basis of business need.
    4. Encrypts user security credentials for production access.
  2. Data Encryption. Passport provides industry-standard encryption for User Data both in flight and at rest as follows:
    1. User Data is encrypted over the internet, in transit and at rest.
    2. Uses strong encryption methodologies to protect User Data, including AES 256-bit encryption for User Data stored in Passport’s production environment.
  3. Data Management
    1. Passport creates an audit trail for key verification with each integration, with user-specific integration key generation alert controls.
    2. Passport logically separates each of its customers’ data and maintains measures designed to prevent User Data from being exposed to or accessed by unauthorized third parties.
  4. Network Security, Physical Security and Environmental Controls
    1. Passport uses a variety of techniques designed to detect and/or prevent unauthorized access to systems processing User Data, including firewalls and network access controls.
    2. Passport maintains measures designed to assess, test and apply security patches to all relevant systems and applications used to provide the Service.
    3. The Service operates on Amazon Web Services (“AWS”) and is protected by Amazon’s security and environmental controls. Detailed information about AWS security is available at https://aws.amazon.com/security and https://aws.amazon.com/compliance/shared-responsibility-model/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/
    4. User Data stored within AWS Database services is encrypted at all times.
  5. Incident Response. If Passport becomes aware of a Security Incident, Passport will:
    1. Take reasonable measures to mitigate the harmful effects of the Security Incident and prevent further unauthorized access or disclosure.
    2. Upon confirmation of the Security Incident, notify affected users in writing of the Security Incident without undue delay. Notwithstanding the foregoing, Passport is not required to make such notice to the extent prohibited by Laws, and Passport may delay such notice as requested by law enforcement and/or in light of Passport’s legitimate needs to investigate or remediate the matter before providing notice.
    3. Each notice of a Security Incident will include:
      1. The extent to which User Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Security Incident;
      2. A description of what happened, including the date of the Breach and the date of discovery of the Security Incident, if known;
      3. The scope of the Security Incident, to the extent known; and
      4. A description of Passport’s response to the Security Incident, including steps Passport has taken to mitigate the harm caused by the Security Incident.
  6. Business Continuity Management
    1. Passport maintains processes to ensure failover redundancy with its systems, networks and data storage.
  7. Personnel Management
    1. Passport performs employment verification, including proof of identity validation and criminal background checks for all new employees.
    2. Passport provides training for its personnel who are involved in the processing of the User Data to ensure they do not collect, process or use User Data without authorization and that they keep User Data confidential.
    3. Passport conducts random monitoring of employee systems activity.
    4. Upon employee termination, whether voluntary or involuntary, Passport immediately disables all access to critical and noncritical systems.