EFFECTIVE DATE: October 1, 2021
The following describes Toric’s security principles and architecture with respect to the administrative, technical, and physical controls applicable to the Service. Capitalized terms shall have the meaning assigned to them in the Agreement unless otherwise defined herein.
Toric emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect customer data; and (d) integrity to maintain the accuracy and consistency of data over its life cycle.
Toric is designed for privacy first. Customer Data is encrypted in transit and encrypted at rest (and remains encrypted at rest). The connection to app.toric.com is encrypted with 256-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS.
Access to manage Toric’s AWS environment requires multi-factor authentication, with access to Customer Data restricted to a limited set of approved Toric employees. Server/Infrastructure management is performed via Infrastructure-as-code procedures, with changes reviewed, committed and tracked. When necessary, infrastructure access is done via role-based access control restricting access based on least privilege principles. AWS networking features such as security groups are leveraged to restrict access to AWS instances and resources and are configured to restrict access using the principle of least privilege. Access to Toric systems is promptly revoked upon termination of employment.
Toric uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases in both the United States and Canada. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.
Toric takes reasonable steps to select and retain only third-party service providers that will maintain and implement security measures consistent with the measures stated in this attachment. Before software is implemented or a software vendor can be used at Toric, Toric IT carefully reviews the vendor’s security protocols, data retention policies, privacy policies, and security track record. IT may reject use of any software or software vendor for failure to demonstrate the ability to sufficiently protect Toric’s data and End Users.
All payment-related services are provided by Stripe, certified to PCI DSS Level 1. Toric employees can not access or store sensitive payment information.
On a 3-month basis, Toric performs on its own an internal security audit to identify and prevent Customer Data loss and to assess the security, reliability, and integrity of the Service. To the extent Toric determines, in its sole discretion, that any remediation is required based on the results of such an audit, it will perform such remediation within a reasonable period of time taking into account the nature and severity of the identified issue.
Toric automatically or manually updates most software it runs and outsources to Amazon when logical and possible. Toric maintains a vulnerability scanning process for production systems. The scope of vulnerability scans includes both external and internal systems in the production environment. Toric’s engineering determines a severity rating for each vulnerability based on the assessment tools criteria such that high or higher-level ranked vulnerabilities require remediation.
Toric takes daily snapshots of its databases and securely copies them to a separate AWS availability zone for restoration purposes in the event of a regional AWS failure. Backups are encrypted and have the same protection in place as production.
Toric has established a change management policy to ensure changes meet Toric's security, confidentiality, and availability requirements. Any change to production or IT configuration with unknown or foreseeable security consequences must be reviewed by the relevant teams holding the area of responsibility prior to deployment. Changes are first tested against an extensive suite of automated tests, then deployed to development and staging environments for further validation, prior to deployment to the production environment.
11. Disaster Recovery and Business Continuity
Toric maintains a business continuity plan centred around ongoing data replication, hot-backups and Infrastructure-as-code in an effort to restore services to the widest extent possible in a reasonable time frame. Infrastructure restoration is a mostly-automated process, with documented manual steps. In addition to daily backups offsite, realtime database snapshots are synchronized at 5 minute intervals, with a weekly database restoration process to ensure validity of the backed-up data.
Toric reserves the right to update these terms from time to time and modify its security practices, provided that such update or modification will not materially and adversely diminish the overall security of the Service during the applicable Subscription Term.