When retrieving data from a partner system or a customer’s data store, we use secure protocols like HTTPS or SFTP. Once ingested, customer data is sequestered in an S3 bucket with limited access granted, even to our employees. After the data is harmonized, accessing the API or Wicket Scorecard requires a robust username and password that sets a temporary session cookie for each user.
Gather the least necessary data
We only pull data we need to power the Wicket Scorecard. Everything else is left behind in the customer or vendor system. In the event of an accident or malicious act, we cannot lose control of something we do not have.
With the introduction of the GDPR standard in 2018, the concept of pseudonymization became a global policy for Wicket Labs. While we normally avoid collecting PII, there are a few use cases that require an email or IP address. Per GDPR, this data is immediately encrypted upon ingest using a one-way hash. The source data is deleted. There is no way back from the hashed result to the source data.
It’s in the Cloud
Physical access to the data storage device is always a concern. This is where using a cloud-based service like AWS has its advantages. Access to the AWS data centers is strictly guarded and their architecture makes it near impossible to tell which data is on which server or storage array.
Development & Deployment Standards
Wicket Labs has established SDLC processes to ensure delivery of quality software services. We use an AGILE-based planning process, version control, automated testing, and automated deployment. Automation ensures not only reliable delivery but also an auditable process based solely on the resources noted in our version control system.
A Culture of Pulling the Emergency Brake
Since we are only as strong as our weakest link, each teammate at Wicket Labs is reminded that they have a responsibility to speak up if they have a concern. It’s better to delay a release and even miss a deadline if a little extra time allows us to test a potential weakness and ensure our security standards remain strong.
Always more to do
Improving the policies and tactics we employ to secure our customers’ data is a never-ending task. We continually review our policies, stay abreast of industry best practices and threats, and learn from the rigorous security reviews we’ve already cleared with top tier media companies and operators. We roll this knowledge up and invest the time required to upgrade and secure the data entrusted to us.
We welcome conversations with our customers and partners about our data security policies. If you’d like to learn more, have questions or even ideas, reach out and we’ll set a time to speak.