Orange County NC Website
Browse       Search
DocuSign Envelope ID: 576DD5DB-E4A9-406B-8F7C-CC4EF3C2484F <br /> <br />24. What is the process by which the cloud provider updates policies and informs customers? <br />a. PhotoShelter clients are typically notified by email in advance of specific policies <br />taking effect and the date of adoption. <br /> <br />25. What is the basic architecture of the cloud provider’s network security? (overall design, <br />zones, filters, firewalls, VLANs, protocols, standards) <br />a. Please see the data diagram (see attachment). <br />26. What security measures does the cloud provider use in data storage, transit and use? <br />a. PhotoShelter uses AES256*2 encryption for static data and TLS1.2+ for data in transit. <br /> <br />27. What encryption technologies does the cloud provider use in data management? <br />a) PhotoShelter uses AES256*2 encryption for static data and TLS1.2+ for data in transit. <br /> <br />28. How are access rights managed by the cloud provider for their employees, contractors <br />and other persons? <br />a. PhotoShelter has policies in place that once signed on as a client, no one from <br />PhotoShelter accesses client data unless there’s been permission from a member <br />of the client org. Normally, this is in cases of support, training, etc. <br /> <br />29. What methods does the cloud provider use to destroy information, when so authorized? <br />a. Data is permanently wiped from our system 45 days after the end date of a <br />contract. <br /> <br />30. What is the cloud provider’s patch management policy/methods? <br />a. Updates, bug fixes, etc., are rolled out in real-time as they are discovered <br />and addressed. <br /> <br />31. How does the cloud provider defend against malware, including but not limited to <br />viruses, bots, spyware, spam, phishing and pharming? <br />a. Regular scans with Malware detection software. In 15+ years, PhotoShelter has <br />never experienced a successful DDOS attack or penetration of our infrastructure. <br /> <br />32. What system hardening strategies are employed by the cloud provider? <br />a. PhotoShelter employs a defense-in-depth strategy for system hardening — running a <br />custom linux deployment that boots with zero services enabled. Via automation, <br />individual services are enabled, firewalled, and permitted in a least-privilege model. <br /> <br /> <br />33. How does the cloud provider perform security testing, including logging, correlation, <br />intrusion detection, intrusion prevention, file integrity monitoring, time synchronization, security <br />assessments, penetration testing? <br />a. PhotoShelter employs the best-of-breed technology platforms at every security <br />layer from firewalls and access-management to intrusion detection, and we are <br />working with industry leaders like Norse Corp on next-generation security <br />platforms. In over 12 years of managing our own proprietary cloud-based <br />platform, our system has proven its reliability with a track record of greater than <br />99.9% uptime with several petabytes of data being managed — which includes <br />multiple replicas of over 285 million images and more than 5 million new <br />professional grade images monthly. We have 100% durability and have not lost a <br />single bit of data in 10 years. Regarding the security of the system, we employ <br />DocuSign Envelope ID: A0C7375C-1E9C-4913-9D61-A5E31E833876