Pacific Research Group (PRG) Security Policy

Keeping your data secure, confidential, and readily accessible are Pacific Research Group’s greatest priorities. Our industry-leading security program is based on the concept of defense in depth: securing our organization, and users’ data, at every layer.

Our security program aligns with CIS CSC 20 and NIST Cybersecurity frameworks and our CORE solution is HITRUST CSF certified. Our payments platform is PCI DSS Level 1 service provider certified. While no system can guard against every potential threat, Pacific Research Group’s defensive line is advanced and monitored 24/7, 365 days a year by highly trained professionals.

The focus of Pacific Research Group’s security program is to prevent unauthorized access to user data. To this end, our team of dedicated security practitioners, working in partnership with peers across the company, take exhaustive steps to identify and mitigate risks, implement best practices, and continuously develop ways to improve.

Pacific Research Group’s security team, led by the Chief Information Security Officer (“CISO”), is responsible for the implementation and management of our security program. The CISO is supported by members of the Cybersecurity Team, who focus on Security Architecture, Product Security, Security Engineering and Operations, Detection and Response, and IT Risk and Compliance.

This Security Policy should be read in conjunction with the Privacy Policy.

This Security Policy contains defined terms, which are defined elsewhere in the Agreement. Please refer to these defined terms in reviewing this Security Policy.

When you access, view or use any part of the Pacific Research Group services, you are accepting the terms and conditions of this Agreement.

If you are agreeing to this Security Policy on behalf of a corporation or other legal entity, you represent that you have the authority to bind such entity and its affiliates to the Agreement. If you do not have such authority, you must not enter into this Agreement and may not use any of our services or content.

Having considered the above preliminary matters and mutual agreements below, the Parties hereby agree as follows:

Pacific Research Group’s security team has built a robust, secure development lifecycle, which utilizes manual code reviews, static code analysis, and external/internal red team penetration testing. While we strive to catch all vulnerabilities in the design and testing phases, we realize that sometimes, mistakes happen. With this in mind, we have created a public bug reporting program to facilitate responsible disclosure of potential security vulnerabilities. All identified vulnerabilities are validated for accuracy, triaged, and tracked to resolution.

1. A. Data in transit

All data transmitted between Pacific Research Group users and the Pacific Research Group services is done so using strong encryption protocols. Pacific Research Group supports the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols and AES256 encryption.




2. B. Data at Rest

Credit Card and PHI (SOAP notes field) data at rest in Pacific Research Group’s production network is encrypted using industry standards for data encryption. All encryption keys are stored in a secure server on a segregated network with limited access. Pacific Research Group has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials. Each Pacific Research Group user’s data is hosted in our shared infrastructure and logically separated from other users’ data. We use a combination of storage technologies to ensure user data is protected from hardware failures and returns quickly when requested.

Network access to Pacific Research Group’s production environment from open, public networks (the Internet) is restricted, with only a small number of production services accessible from the Internet. Only those network protocols essential for the delivery of MINDBOBDY’s service to its users are open at our perimeter. Pacific Research Group utilizes third-party Content Distribution Network (“CDN”) services for redundancy and performance of services. In addition to CDN, Distributed Denial of Service (“DDoS”) and bot protections are provided through third-party services. All secure servers are protected by firewalls, best-of-class router technology, TLS encryption, file integrity monitoring, and network intrusion detection that identifies malicious traffic and network attacks.

1. A. Endpoint Security

All workstations issued to Pacific Research Group personnel are configured by Pacific Research Group to comply with our standards for security. These standards require all workstations to be properly configured, updated, tracked, and monitored by Pacific Research Group endpoint management solutions. Pacific Research Group’s default workstation configuration encrypts data at rest, requires strong passwords, and locks when idle. Workstations run up-to-date monitoring software to report potential malware, unauthorized software, or other compromises.




2. B. Access Control

To minimize the risk of data exposure, Pacific Research Group adheres to the principles of least privilege and role-based permissions when provisioning access. Pacific Research Group employees and affiliates are only authorized to access data that they reasonably must handle to fulfill their current job responsibilities. All production access is reviewed internally and is part of compliance with PCI and HITRUST.

To further reduce the risk of unauthorized access to data, Pacific Research Group employs multi-factor authentication for all privileged access to systems with highly-classified data, including our production environment, which hosts our user data.




3. C. System Monitoring, Logging, and Alerting

Pacific Research Group monitors servers, workstations, and networks to maintain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers hosting sensitive data in the Pacific Research Group production network are logged, analyzed, and retained in accordance with PCI and HITRUST requirements.

All networks are monitored using a Security Incident Event Management (“SIEM”) system that gathers logs from all network systems and creates alert triggers based on correlated events. In addition to internally managed SIEM, Pacific Research Group utilizes third-party incident detection and response services for additional monitoring and analysis.

Intrusion detection sensors throughout our internal network report events to the internal and external SIEM systems for logging and for the creation of alerts and reports.




4. D. Vendor Management

In order to provide you with our services, Pacific Research Group may rely on other service organizations that provide their services to Pacific Research Group (“Subservice Organizations”). Where those Subservice Organizations may impact the security of Pacific Research Group’s production environment, we take appropriate steps to ensure our security posture is maintained by establishing agreements that require Subservice Organizations to adhere to confidentiality commitments we have made to users. Pacific Research Group monitors the effective operation of the Subservice Organization’s safeguards by conducting reviews of all such controls before use.




5. E. Security Compliance Audits and Assessments

Pacific Research Group is continuously monitoring, auditing, and improving the design and operating effectiveness of our security controls. These activities are regularly performed by both third-party credentialed assessors and Pacific Research Group’s internal IT Risk and Compliance teams.

Assessment and audit results are shared with senior management, and all findings are tracked to ensure prompt remediation.




6. F. Penetration Testing

In addition to our compliance audits and assessments, Pacific Research Group engages both internal red teams and independent external entities to conduct application-level and infrastructure-level penetration tests at least annually. The results of these tests are shared with senior management and any potential issues are triaged, prioritized, and remediated promptly.




7. G. Hosting Providers

Our hosting and cloud service providers are PCI compliant and have completed the industry standard SOC 2 certifications. This includes controls and processes such as multi-factor authentication, role-based access controls (“RBAC”), redundant utilities, and strict change management processes.

No computer system or information can ever be fully protected against every possible threat. Pacific Research Group is committed to providing reasonable and appropriate security controls to protect our services, Websites, and information against foreseeable threats. If you have any questions about Pacific Research Group security, you can contact us at info@pacificresearchgroup.com

1. A. User Expectations

Pacific Research Group maintains the security of Pacific Research Group systems, however, you as a Pacific Research Group user are responsible for implementing other security practices. We recommend that you:

• Maintain an appropriate level of security (both physical and logical) for all local systems (including but not limited to networks, desktop computers, credit card readers, tablets, and mobile devices);
• Install appropriate anti-virus and anti-malware protection;
• Enable web browser auto-updates;
• Implement a robust operating system and software patching process;
• Implement secure user and password management processes, including periodic password changes, deleting user accounts promptly after staff departures;
• Replace old peripherals and hardware with more modern and secure alternatives;
  • For example, replace systems with non-supported operating systems
  • For example, replace swipes with EMV devices
• Use the Pacific Research Group systems as designed;
• Restrict access to consumer data if there is no business need for the team member to view;
• Use at least TLS v1.2 when connecting to the internet; and
• Notify Pacific Research Group immediately of any suspected compromise or unusual account activity by sending an email to info@pacificresearchgroup.com



2. B. Cardholder Data Handling Expectations

Pacific Research Group is certified as a Level 1 Service Provider under PCI DSS Version 3.2

Any merchant who accepts Visa, MasterCard, American Express, or Discover credit cards for payment is subject to the Payment Card Industry Data Security Standard (“PCI DSS”), which outlines credit card processing merchants' responsibilities for the protection of Cardholder Data. We strongly recommend you follow the requirements of the PCI DSS when handling Cardholder Data. Please refer to the PCI DSS website for a complete list of all rules and restrictions that may apply

At a minimum, you must:

• Maintain updated anti-virus software on all workstations engaged in credit card processing and remove any programs that the anti-virus software flags as potentially malicious;
• Restrict permission to install software on those computers to users, business owner and/or trusted senior staff;
• Maintain up-to-date versions of operating systems (e.g., Microsoft Windows or Macintosh OS) and applications (e.g., Microsoft Office, Adobe Reader, Java, Google Chrome), with all security updates and patches installed;
• Ensure that every individual that logs into the services has a unique username and password that is known only by that individual;
• Only store credit card account numbers in encrypted credit card fields designed for that purpose; and
• Destroy any hard copy documents that have Cardholder Data written on them.

 

DISCLAIMER OF RESPONSIBILITY FOR CARDHOLDER DATA. If you use the optional Payment Processing Service to process payments, Pacific Research Group is responsible for protecting Cardholder Data only after such Cardholder Data is encrypted and received by Pacific Research Group’s system(s). You remain responsible for the proper handling and protection of Cardholder Data until such Cardholder Data is encrypted and received by Pacific Research Group’s system(s).

Your API credentials are extremely sensitive. If you use our API, you must follow the policies below to ensure that you’re accessing user data in a safe and secure manner. Using your API credentials indicates that you agree to the terms of this Security Policy. If you or a member of your team violates this policy, you could permanently lose access to the Pacific Research Group API.

You must:

• Ensure your API credentials are stored securely at rest and in transit;
• Share your credentials with your team only on a need-to-know basis;
• Never store credentials in source control, private or public;
• Never allow API credentials to be logged, even in development tools;
• Make sure your team understands that the credentials grant access to sensitive and confidential production data;
• Use Credentials only server to server; and
• Never use credentials in a mobile application.

Pacific Research Group reserves the right to delete any API credentials after 30 days of low activity (less than 100 calls).

We may, in our sole discretion, make changes to this Security Policy from time to time. Any changes we make will become effective when we post a modified version of the Security Policy to Our Website, and we agree the changes will not be retroactive.