Security Statement Overview
Keeping our clients' data secure is Buxton’s #1 priority. We take a multi-layered approach to information security that is known as “Defense in Depth.” Defense in Depth is a strategy that incorporates enterprise data protection best practices to ensure our clients’ data remains secure while in our environment. We want to ensure our clients’ data is treated with the utmost care from the time we receive it, until the time we delete it. We also embrace and enforce a philosophy of “least privilege” throughout our ecosystem to ensure that information is accessible to essential personnel. Finally, Buxton will never resell any information you have provided to a third party of any kind.
As you continue to learn more about Buxton, we recommend you also review our Privacy Policy.
SOC 2, Type 2 + HITRUST Compliance
SOC 2 Type 2 +HITRUST reports are independent, third-party examination reports that help clients to understand Buxton's control environment. Buxton has completed the System and Organization Controls (SOC) 2, Type 2 +HITRUST examination from the American Institute of Certified Professional Accountants (AICPA). HITRUST is based on a rigorous set of information security requirements that is tailored to the protection of Protected Health Information (“PHI”) as well as other confidential data. Additionally, the HITRUST framework is designed to address components from over 40 authoritative sources for information security frameworks, including HIPAA, NIST, CIS, FedRAMP, GDPR, and ISO 27001. Buxton has taken significant steps to create, document, implement and monitor processes required to maintain a high level of data security and confidentiality. The examination process covers critical factors such as risk management, system operations, change management, data monitoring, confidentiality and more. The purpose of the examination is to demonstrate the controls Buxton has implemented are suitably designed and operate effectively to ensure the security of its systems and the confidentiality of client data.
At Buxton, we take our clients’ concerns regarding data protection very seriously, and we therefore do not distinguish between client data that contains PII and that which does not. We apply the same strict protocols to all client data regardless of its contents.
Subservice Organizations
Buxton uses subservice organization to support certain functions of its platform including:
- Amazon Web Services (“AWS”) provides cloud and data hosting services.
- Google provides maps and geocoding services.
- Microsoft DevOps provides support for software development lifecycle.
- Okta, Inc. provides secure identity management authentication services.
- Salesforce is a customer relationship management platform.
Security Team
Our infrastructure and security teams are both AWS and Information Security certified. Our Executive Security Committee (ESC) includes our Chief Financial Officer, Chief Technology Officer, Chief Information Security Officer, Corporate Controller and the SVP’s of Systems Engineering. Security is our highest priority and enforced from the very top of the organization.
Best Practices
Incident Response Plan
We have implemented a formal procedure for security events and have educated all our employees on our various policies.
If a security event was detected, it would be reviewed by key security team members and escalated to our Executive Security Committee (ESC) if warranted. If additional investigation or resolution is needed, our Incident Response Team is notified and assembled to rapidly address the event.
After a security event is identified, addressed, and resolved, we would conduct a post-mortem analysis. The analysis would be reviewed with the ESC and distributed to all appropriate parties. It includes action items that would make the detection and prevention of a similar event easier in the future.
Infrastructure
Our services and data are hosted in multiple cloud environments located in the United States . Buxton services have been built with disaster recovery, high availability, and scalability in mind. Buxton implements strong access control policies combined with stringent auditing to ensure that the principle of least privilege is enforced. Buxton has also implemented an immutable backup strategy to protect against many forms of cyber-attacks.
Service Levels
We maintain an uptime of 99% or higher. For additional details about these metrics, please contact our corporate office.
Data
All client data is stored within the United States and is housed within a single tenant database that is dedicated to each client, at the point of ingestion. This prevents cross contamination of data among our clients. As data moves through to our production area, all data is transformed, summarized, de-identified, then stored in standard structures utilizing Buxton-generated encryption keys.
We implement several unit and quality assurance tests to ensure our application works as expected and data is rendered accordingly.
Data retention policies are in place to ensure your data remains in our ecosystem for the least amount of time possible for the requested scope of work. Per your request, the original data provided can be destroyed and a certificate of data destruction can be provided.
Data Transfer
Data ingestion and client deliverables are transferred to and from Buxton employing our MFT process or approved API’s. All databases with client data utilize transparent data encryption (TDE). Connections between databases use SSL encryption. For transfers between Windows systems, we only use SMB3 with encryption. We are enforcing 256-bit disk encryption on all endpoints. We have disabled the use of USB removable storage devices. We utilize Data Loss Prevention (DLP) and Security Information and Event Management (SIEM) to monitor traffic including deviation from normal behavior. We have implemented technical controls to prohibit mobile devices from connecting to the production network.
Authentication
Buxton is served 100% over https. All external Buxton traffic is encrypted in motion. Client logins utilize two-factor authentication. Buxton utilizes two-factor authentication and strong password policies for all access to Buxton's internal resources.
Permissions and Admin Controls
Buxton enables permission levels to be set for each user within the Buxton Analytics Platform. This may include access to certain data elements or the ability to access certain features within the application.
Application Monitoring
We use a variety of tools to monitor the health of our entire ecosystem. Our ecosystem includes databases, distributed workers, load balancers, web servers and other mission critical infrastructure. All user access to the Buxton Analytics Platform is logged and reviewed as needed.
Actions and changes in the Buxton Analytics Platform are logged and tracked through an Enterprise Change Management System.
Security Audits
On a regular basis, we engage with third-party auditors to review our security protocols to test the design and operating effectiveness of key internal controls over a period of time. In addition, we introduce new controls to stay up to date with emerging needs.
We have implemented an array of cybersecurity tools from industry leaders to ensure that we employee a mix of tried-and-true best practices coupled with cutting edge methodology to protect the Buxton Analytics Platform and our client’s sensitive information.
Reporting Suspicious Activity
If you suspect or witness a suspicious event within the Buxton Analytics Platform, please contact our office. Our phone number is (817) 332-3681 or you can reach our Chief Information Security Officer at CISO@buxtonco.com.
Complementary User Entity Controls
Buxton’s controls over its analytics platform were designed with the assumption that certain controls would be placed in operation at user entities. This list does not represent a comprehensive set of all the controls that should be employed by user entities.
- User entities are responsible for ensuring that only authorized personnel are granted access to the customer analytics software and this access is commensurate with job responsibilities.
- User entities are responsible for reviewing and signing contractual obligations and amendments outlining the terms and conditions with Buxton in a timely manner and for complying with these contractual obligations.
- User entities are responsible for notifying Buxton regarding any changes made to technical or administrative contact information in a timely manner.
- User entities are responsible for ensuring that all data transmissions sent and received are authorized, complete, and accurate.
- User entities are responsible for developing their own disaster recovery and business continuity plans that address their inability to access or utilize Buxton’s services.
- User entities are responsible for ensuring that the impact of scheduled maintenance activities to their production processes and jobs is sufficiently mitigated.
- User entities are responsible for developing policies and procedures to protect their systems from unauthorized or unintentional use, modification, addition, or deletion.
- User entities are responsible for ensuring that adequate mechanisms are in place to monitor and protect the content of any information passing through their network.
- User entities are responsible for implementing their own access control systems on their infrastructure and systems. Buxton does not maintain or have logical access to user entity infrastructure software or data.
- User entities are responsible for notifying Buxton of security incidents that may impact the Buxton analytics platform.
- User entities are responsible for notifying Buxton should they desire to strengthen the standard password configuration settings to the Buxton analytics platform.