Data Management

Access to Customer Data

Genuity limits access to Customer Data as follows:

• Requires unique user access authorization through secure logins and passwords that include the following password guidelines: 1) Users select their own passwords, to strictly avoid ever storing a password in plain text 2) Password requirements prevent weak passwords from being selected, both through dictionary exclusions (e.g. weak password blacklist) and complexity requirements 3) Password requirements enforce a minimum length of at least 8 characters 4) Passwords have a long maximum length of 64 characters 5) The authentication mechanism rate limit to mitigate the risk for any brute force attacks. If requested, we will happily provide the source code to verify these constraints.
• Limits the Customer Data available to Genuity personnel on a “least privilege” principle;
• Restricts access to Genuity’s production environment by Genuity personnel on the basis of business need; and
• Encrypts user security credentials for production access including login information. Read more here to learn how Genuity’s chosen authentication method uses a series of one-way hashed data to keep your password safe.

Sharing of Personal Information

Genuity does not share your personal information with third parties other than as follows:

• Customers of Genuity's real-time benchmarking agree to allow Genuity to anonymize the customer's data and provide it to other Genuity customers in a manner that is fully aggregated and cannot be associated with a given company or individual at a company.
• With third party vendors, consultants and service providers who perform functions on our behalf, but we limit their use of the information as is reasonably necessary to carry out their work.
• When we believe in good faith that we are lawfully authorized or required to do so or that doing so is reasonably necessary or appropriate to comply with laws or respond to lawful requests, legal process or legal authorities.
• When we believe in good faith that doing so is reasonably necessary or appropriate to protect our rights, property or safety or that of our employees, agents, users or others, including to enforce our agreements and policies or to enforce our Terms of Use including investigation of potential violations of our Terms of Use.
• In extraordinary circumstances, such as to respond to an emergency or for reasons of national security, an urgent matter of public or individual safety or other issues of dire importance.

Sale of Data

We will never sell or provide Your Data to another party without your explicit consent.

Data Encryption

• Note that 100% of all customer data is stored entirely within Amazon Web Services (AWS) Cloud infrastructure.
• Genuity implements End-to-End Transport Layer Security (TLS) across the platform. To learn more about AWS’s end-to-end encryption standards, read this page. AWS S3 automatically encrypts all data before it is written to disk.

Network Security, Physical Security and Environmental Controls

• Genuity uses a variety of techniques designed to detect and/or prevent unauthorized access to systems processing Customer Data, including industry-standard firewalls and perimeter defense through AlienVault USM. You can learn more about Genuity’s chosen firewalls at https://aws.amazon.com/waf/faq/ and AlienVault perimeter protection at https://cybersecurity.att.com/products/usm-anywhere.
• The Service operates 100% on Amazon Web Services (AWS) and is protected by AWS’s security and environmental controls.  Detailed information about AWS security is available at https://aws.amazon.com/security/. For AWS Cloud SOC2 Reports, please see this page.
• Customer Data stored within AWS is encrypted at all times. AWS does not have access to unencrypted Customer Data at any time.

Personnel Management

• Genuity provides training for its personnel who are involved in the processing of the Customer Data to ensure they do not collect, process or use Customer Data without authorization and that they keep Customer Data confidential, including following the termination of any role involving the Customer Data.
• Genuity conducts routine and random monitoring of employee systems activity.
• Upon employee termination, whether voluntary or involuntary, Genuity immediately disables all access to critical and noncritical systems, including Genuity’s physical facilities.

Independent Security Assessments

Genuity periodically assesses the security of its systems and the Service as follows:

• Annual detailed security and vulnerability assessments of the Service conducted by independent third-party security experts that include a thorough code analysis and a comprehensive security audit.
• Bi-annual penetration testing of Genuity systems and applications to test for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF.
• Daily vulnerability scanning. 
• Code Review of any new code added to the Service.

Incident Response

If Genuity becomes aware of unauthorized access or disclosure of Customer Data under its control (a “Breach”), Genuity will:

• Take reasonable measures to mitigate the harmful effects of the Breach and prevent further unauthorized access or disclosure.
• Upon confirmation of the Breach, notify Customer in writing of the Breach without undue delay.  Notwithstanding the foregoing, Genuity is not required to make such notice to the extent prohibited by Laws, and Genuity may delay such notice as requested by law enforcement and/or in light of Genuity’s legitimate needs to investigate or remediate the matter before providing notice. 1) The extent to which Customer Data has been, or is reasonably believed to have been, used, accessed, acquired or disclosed during the Breach; 2) A description of what happened, including the date of the Breach and the date of discovery of the Breach, if known; 3) The scope of the Breach, to the extent known; and 4) A description of Genuity’s response to the Breach, including steps Genuity has taken to mitigate the harm caused by the Breach.

Responsible Disclosure Policy

Data security is a top priority for Genuity, and Genuity believes that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Genuity’s service, please notify us; we will work with you to resolve the issue promptly.

Disclosure Policy

• If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at support@gogenuity.com. We will acknowledge your email within 24 hours.
• Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.
• Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Genuity service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

Exclusions

While researching, we’d like you to refrain from:

• Distributed Denial of Service (DDoS)
• Spamming
• Social engineering or phishing of Genuity employees or contractors
• Any attacks against Genuity’s physical property or data centers

Thank you for helping to keep Genuity and our users safe!

Contacting Us

If you have any questions or comments about this Policy or our practices relating to the Service or Software, or if you believe we have not complied with this Policy, please contact us at support@gogenuity.com.