Overview

Pipeline understands and is committed to providing the highest level of data security. This starts by hosting our application at a certified, professionally managed, SAS 70 Type-II compliant and audited data center. The data center is monitored 24 hours a day 365 days a year!

The storage and transmission of data with is protected using a multi-layered security model. The multi-layer model is comprised of:

• Data Center Security
• Network Security
• User Authentication Security
• Application Security

Data Center Security

The Pipeline eXchange™ service is hosted in state-of-the-art data centers featuring 24x7 guarded access facilities using a wide range of security systems including video camera surveillance and the latest in biometric technologies. Access to the servers and storage is strictly limited only to authorized data center personnel. Procedures and processes for access are certified routinely to maintain the SAS 70 Type II Certification.

Physical Access Control

• Data center access limited to data center technicians
• Biometric scanning for controlled data center access
• Security camera monitoring at all data center locations
• 24x7 onsite staff provides additional protection against unauthorized entry
• Unmarked facilities to help maintain low profile
• Physical security audited by an independent firm

System Security

• System installation using hardened, patched OS
• System patching configured to provide ongoing protection from exploits
• Dedicated firewall and VPN services to help block unauthorized system access
• Data protection with managed backup solutions
• Optional, dedicated intrusion detection devices to provide an additional layer of protection against unauthorized system access
• Distributed Denial of Service (DDoS) mitigation services based on proprietary system
• Risk assessment and security consultation by professional services teams

Operational Security

• ISO17799-based policies and procedures, regularly reviewed as part of our SAS70 Type II audit process
• All employees trained on documented information security and privacy procedures
• Access to confidential information restricted to authorized personnel only, according to documented processes
• Systems access logged and tracked for auditing purposes
• Secure document-destruction policies for all sensitive information
• Fully documented change-management procedures
• Independently audited disaster recovery and business continuity plans in place

Network Security

As important as securing physical access to data is securing the transmission of data over the public internet. Pipeline eXchange enforces 128-bit Secured Socket Layer (SSL) encryption to assure all data is transmitted encrypted. From the login page to file uploads and downloads, the transmission between your computer on our servers is encrypted. Look for the lock sign on the bottom of your Internet Explorer browser for verification of the SSL security.

Application Security

Data Access
Pipeline eXchange uses proprietary security techniques to validate access to all application data. Based on a user's privileges, our application system determines access and presents the data. Should a user try to access something they are not authorized to access, they will be presented with an error. The errors are logged and we continuously monitor the system for unauthorized access.

User Session
A user's access to the system is maintained in a user session on our server. The user session is tied directly to a globally unique instance identifier of the user's browser. To protect from unauthorized access, a user's session is invalidated after 30 minutes of idle time.

Audit Track
Audit tracking is a central part of our application security model. All user activity is logged and tracked for audit purposes. The log consists of the user's IP address, user id, and date. Most of the audit information is visible in the context of the application.
 
A separate form of audit track is notification emails when a file is downloaded. Pipeline eXchange automatically sends an email notification to who ever the sender designates when a transfer file is downloaded by the recipient.

Data Retention
The Pipeline eXchange system enforces strict data retention policies based on account settings and preferences. Each file transfer contains an expiration date based on user preference. Depending on the settings, a file that is not downloaded before the expiration date is automatically and permanently deleted. Once a transfer is in process, the sender can cancel it and based on the settings, the file will be automatically and permanently deleted.

User Authentication

Application Users
All users accessing Pipeline eXchange must validate themselves with a login and password. The login attempts are logged in the system. A user's account will become locked after several unsuccessful login attempts. Furthermore, the user can set a password to meet their organization's password requirements.
 
Prior to establishing a login to Pipeline eXchange, the user's email address is authenticated through a validation process. This helps us maintain credible users in our system.

File Transfer Recipient Users

Users trying to download a file sent by a Pipeline eXchange user must, at the minimum, have a secure tracking code and the recipient's email address. Optionally, the sender can establish a security question which the recipient must answer prior to access to the file. The answer to the question is not sent in any notification. The sender and recipient can use a pre-determined question and answer or it can be ad-hoc and the sender would communicate the answer over some other medium like telephone to the recipient.

Summary

Pipeline eXchange is built and managed for secure document exchange and storage. The combination of strong physical security, application security, and user authentication means your sensitive data is protected at every level.