What is Zesty.io used for?
Zesty.io accounts are intended for publicly accessible websites, both for informational purposes and for online sales (e-commerce), or headless content APIs. Data shared on the Zesty.io platform is typically public information, crawl-able by search engines.
What data is held by Zesty.io, and where is it hosted?
Most data held in Zesty.io is public content accessible over the Internet. That information is stored in an isolated database created specifically for that website account. Additionally, user information for the individuals that use and access Zesty.io is stored in a separate database not associated with any website account. Passwords are hashed and salted before being stored. All data is encrypted before being stored.
How will users be authenticated, that is, how do we know a user is entitled to use the application?
Users are authenticated against their password, which is hashed and salted on submission and checked against a user database. Each form in Zesty has methods in place to defend against CSRF (cross-site request forgery) and XSS (cross-site scripting) attacks.
Is Zesty.io accessible from mobile devices such as cell phones and tablets? If so, can access be restricted only to company-owned devices?
Zesty.io is accessible from all devices with a modern web browser. That includes, but is not limited to, modern cellphones, tablets, desktop computers, and laptop computers. Restricting access to devices is not available. Restricting permissions to specific ares of the website account is available to the agency managing the website account.
If a user (employee) of our company leaves, how will that user’s access to the service be terminated?
Access to Zesty.io website accounts are on a per user basis. The managing agency has complete control over which users have access, and can deny or grant immediate access.
If the data were compromised what would the impact to our business be?
If the website database account data was compromised, passwords would be reset, access would be restricted, and the most recent backup of the website would be instated. All users with permission to that website account would be required to create new passwords with two-factor authentication.
If Zesty.io unexpectedly goes out of business or is otherwise unable to supply the service what would the impact on our company be?
Zesty.io will always have a way to export a static version of a website. If the website uses the Zesty.io commerce solution, that service would be put to a halt and need to be reinstated on another system, but all of the CSS, HTML, and data will be available for download. Additionally the managing agency has access to make backups of the website at their discretion.
Is Zesty.io's hosting solution SAS 70 type II certified?
Yes. Zesty.io is hosted with Google Cloud Platform and Fastly, both of which are SAS 70 Type II certified.
Can Zesty.io provide a detailed information security policy?
Yes. Our public security policy may be viewed here.
What are the software development processes Zesty uses to prevent security defects. Can we request to audit your adherence to these processes.
Upon deployment of code, we employ third-party consultants to check internally and externally for flaws in the system. A request can be made. We will take steps to authorize the request prior to any engagement.
Would our employees ever log on to your hosted systems in any way while our company is using Zesty.io?
Yes. Only users associated with your website account can access your company data. If the user logs on with an additional user account they create they will not be able to access or grant access to the company account associated with their other user.
How would you inform our company if a security incident or data exposure involving our company data occurred? What steps would you take to mitigate any damage to our company if such an incident occurred?
We would notify all companies involved in any security incident. If a website database account was compromised, passwords would be reset, access would be restricted, and the most recent backup of the website would be instated. Users with permission to that website account would all be required to create new passwords and use two-factor authentication when logging in.
How quickly would you inform our company if a security vulnerability were discovered? What steps would you take to mitigate any damage to our company if such a vulnerability were discovered?
We would notify all companies involved in any security incident within 24 hours of discovery. If a website database account was compromised, passwords would be reset, access would be restricted, and the most recent backup of the website would be instated. Users with permission to that website account would all be required to create new passwords and use two-factor authentication when logging in.
Are Zesty.io data centers ISO 27001 certified? Are ecommerce payments PCI DSS certified?
Zesty.io's data centers are managed by Google Cloud Platform, which is ISO 27001 certified. Zesty accepts payments with only PCI DSS certified vendors.
Are any third parties involved in the provisioning of Zesty.io? If so, how do you ensure that these third parties or sub-contractors cannot negatively affect the security level Zesty?
How does Zesty protect against loss of power, loss of network access, loss of other key infrastructural elements, non-availability of personnel due to severe weather events, and so on? Have you assessed these risks and do you have a documented business continuity or disaster recovery plan in place to address them?
Regular database backups and code repositories are stored to multiple secure locations in the United States. If our main server farm is inaccessible for more than 168 hours we will deploy our repositories and reinstate the database in a new location. In this event domain DNS records may need to be changed to the new locations IP (internet protocol) address. Network access outside of our control (e.g. an internet line from Arizona to Southern California is severed preventing access to servers in Texas), is considered municipal, and it is at the discretion of the Governing body, in which the issue occurred, to resolve connectivity issues.
Do you have an appropriately trained Information Security staff in place? What security certifications do they maintain?
Yes. We employ top security experts to conduct experiments and research to find flaws in our code repository. Rackspace IT professionals that manage our server cluster maintain their RHCA (Red Hat Certified Architect) and required Cisco certifications.
Are Zesty.io employees aware of their obligation to maintain the confidentiality of all customer data? How is this documented? Are your business partners aware of their obligation to maintain the confidentiality of all customer data? How is this documented?
Yes to both, it is documented with signed and dated documentation.
What do you do to protect against information security breaches by highly privileged insiders, such as inappropriate access to our company data by a system administrator?
Access to this information should not have any affect on the company as information stored in Zesty.io website accounts should be publicly accessible. Sensitive user credential data is hashed while at rest and encrypted during transit.
May our company or our agents to carry out information security and data protection audits of your hosted solution? Will our company also be able to carry out such audits on your subcontractors?
Audits which may include, without limitation, penetration tests against Zesty.io's infrastructure and code base, audits of our security processes as they relate to Zesty.io, audits of our software development process, and audits of our technical and organization processes as they relate to Zesty.io may be scheduled and conducted after authorization by our staff.
Will access to our company data and to the networks and systems used to process the data be secured by two-factor authentication?
Two-factor authentication is an optional feature for all website accounts. This feature may be enabled by the website account's managing agency.
Will our company's data be protected by encryption both in transit and at rest?
Website accounts with the SSL/TLS options will be protected by encryption.
How will our company's data be segregated from other customers’ data?
Each website account accesses an isolated database created specifically for that account.
Is Zesty's team prepared to assist our company to produce its data as necessary for litigation (E-Discovery)?
Yes, for a $500 fee per queried result.
How do Zesty.io system administrators enforce the principle of least privilege? Do any administrators have unrestricted access to customer data or the systems and networks used to process the data?
We create polices based on best practices of the principle of least privilege, and we create software rules to enforce policies. We ensure this by only allowing employees access data through the software.
Is Zesty.io compliant with all applicable national and international data protection laws and regulations?
Zesty.io is compliant to United States data protection laws and regulations.
Are Zesty.io employees aware of their responsibilities under applicable national and international data protection laws and regulations?
Yes. As of March 1st, 2014, each employee is required to study data protection laws as part of their training.
Where is Zesty.io hosted?
Servers, storage of backups, and disaster recovery are located in the United States. Media hosted with Akamai, our content delivery network provider is located statically across all nations that have requested access to specific media files.
Does Zesty.io process any personal data relevant EU data protection laws? As well as all applicable US state Privacy laws?
Who do I contact if my question was not answered above?
For more information please contact firstname.lastname@example.org.