Information Security Policy

Create.com, LLC. and our subsidiaries (“we” or “us”) take the security of customer data seriously. We have implemented internal policies and controls to try to ensure that customer data is not lost, accidentally destroyed, misused or disclosed, and is only accessed by Create.com employees in the performance of their duties. Where Create.com engages third parties to process customer data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are required to implement appropriate technical and administrative measures to ensure the data is secure.

Create.com will maintain data security by protecting the confidentiality, integrity and availability of the customer data as follows:

  • Confidentiality means that only people who are authorized to use the data can access it.
  • Integrity means that data should be accurate and suitable for the purpose for which it is processed.
  • Availability means that authorized users should be able to access and use the data if they need it for authorized purposes in a timely and reliable manner. Customer data should therefore be stored in approved data stores and made available to authorized users only.

How is data security managed?

The security of Create.com is modeled on a ‘defense in depth’ approach on multiple levels, including Physical, Network, Host, Software, and User Account Security. Create.com maintains internal security policies and standards in support of its ongoing operations. Access to resources is granted only to those who reasonably require access, based on their responsibilities. Security processes include:

Physical Security

Physical access to Create.com’s hosting environment is restricted to specific individuals and uses multiple levels of security, including:

  • Create.com servers and infrastructure are located in a physically secure data center. Access to the data center is limited to authorized personnel. Badge access or biometric authentication (hand scanners and fingerprint IDs) are required in order to access the facilities.
  • Create.com servers are isolated and secured within the data center in areas dedicated to Create.com equipment only. These areas are not shared with third parties.
  • Access to the data center and systems are regularly reviewed to ensure authorization.
  • 7×24 Security guards perform random checks of the data center to ensure physical security controls have not been compromised.

Network Security

  • Access to Create.com services is via standard HTTP and HTTPS connections.
  • Create.com’s hosting environment is protected from the public Internet via multiple next generation firewalls, monitored with an intrusion prevention/detection system, including a strategically placed distributed denial of service mitigation system.
  • All of your account, credit card, and subscriber information and content is encrypted via industry-standard Secure Sockets Layer (SSL) connections over HTTPS.

Host Security

  • Create.com performs industry-standard security hardening efforts on all systems. In accordance with our security and change management policies, unused services are disabled and software updates are applied on a regular basis.
  • Create.com regularly reviews information on current security vulnerabilities, including vendor announcements and other industry sources. If security updates are determined to be critical to the Create.com environment, they are thoroughly tested and deployed in a timely manner.
  • All Create.com hosts and services are routinely monitored for integrity and availability. Operations staff review all alerts generated by monitoring systems and respond promptly.
  • Create.com servers are monitored 24×7 for malicious activity.
  • Administrative access to Create.com’s infrastructure is limited strictly to authorized users with multi factor authentication. Individual usernames and passwords are required for all machine and data access.
  • Strong password guidelines are in place, including complexity and minimum length requirements. Passwords are expired and changed on a regular basis.

Software Security

  • All internally developed code is subject to a strict Quality Assurance program, including extensive testing of functionality and business logic. Strong change control processes are in place to ensure that all code deployed to the production environment has been appropriately reviewed.
  • We train our engineers in secure coding and architectural design patterns like the ones outlined in the OWASP Top 10, SANS critical security controls, and the NIST frameworks
  • As part of Create.com’s ongoing PCI compliance, we regularly undergo security reviews, including external and internal scanning for vulnerabilities on an ongoing basis by a third party vendor. All vulnerabilities discovered are reviewed by internal security and addressed according to severity.

Incident Management

  • Create.com has a documented Cybersecurity Incident Response Plan, a 24×7 Command Monitoring Center, a Cybersecurity Incident Commander and an industry leading incident response third party on retainer.
  • The Plan undergoes annual table top testing and is updated as necessary.

The Chief Privacy Officer/Data Protection Officer will be informed of any reasonably suspected Customer Data breach and will act as required by the GDPR and other laws as necessary.

Personnel Security

  • Create.com employment offers are contingent upon successful completion of criminal background and reference checks where allowed by law.
  • Upon commencing employment, all Create.com employees receive information security training and are contractually obligated to confidentiality clauses to ensure that they adhere to Create.com’s commitment to security and confidentiality.

Create.com’s information security awareness and training program requires employees complete annual security refresher training.

Patch Management

  • Create.com’s patch installation is prioritized based on the severity of the patch with respect to the impact on the hosting services.
  • Create.com systems are routinely updated per vendor recommendations and industry standards.
  • Patch levels on managed systems are monitored and enforced by third party software.

Virus/Malware Management

  • Create.com uses up to date virus scanning software for detecting currently known malware.
  • Malware definitions are updated daily and installed as required.
  • Operations teams monitor the Create.com hosting environment 24×7 for malware infections.

Questions