Storable Cyber Security Practices


AWS – All Storable production systems and applications are hosted in the AWS cloud.
This provides many advantages including system and data redundancy, ability to scale
quickly to meet demand, highly secure data centers and compliance with dozens of
regulations and programs.

Availability and Continuity – We maintain high levels of availability with our systems
deployed in multiple, geographically diverse AWS regions and availability zones. We
also have developed robust Disaster Recovery and Business Continuity programs that
allow us to continue operations even under adverse conditions.

● Access Controls – Access to production systems and data is restricted to only those
staff who need such access to perform their job responsibilities. All production access
requires multi-factor authentication (MFA) and is logged and monitored.

● Threat Management – Storable utilizes an external security provider to monitor our
networks, systems and applications on a 24/7 basis. All threats are detected, contained
and eliminated quickly to prevent malicious activity and stop data from being exfiltrated
from our systems.

● Security Assessments – Every year Storable undergoes a rigorous security
assessment by an external firm. The goal of these assessments is to identify any
vulnerabilities in our systems and applications, and to try and exploit those vulnerabilities
and gain unauthorized access. We also perform our own internal vulnerability scans and
all issues detected are quickly remediated by our IT or Engineering teams.

Data At Rest

● Tokenization – Where possible, credit card data is tokenized so that we do not store
account numbers, but rather a token which is a random string of characters. Tokens
serve as reference to the original data, but cannot be used to guess those values.

● Encryption – In those instances where we do store credit card data or other sensitive
information, we employ industry standard AES encryption to render the data unreadable.

● Backups – Backups of critical data occur daily and we maintain redundant copies of
production data in multiple geographic locations. Backups are encrypted and keys are
limited to a very small number of highly trusted staff members.

Data In Motion

● Encryption – All customer data stored within Storable cloud products and services is
encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ to
protect it from unauthorized disclosure or modification. Our implementation of TLS
enforces the use of strong ciphers and key-lengths where supported by the browser.

● Web Application Firewalls – Storable applications are protected by a Web Application
Firewall (WAF) that inspects, detects and blocks application layer attacks such as
injection attacks.

Compliance Initiatives

● PCI DSS – Storable undergoes an annual PCI DSS Level 1 audit by a Qualified Security
Assessor (QSA). This audit ensures that Storable is in compliance with all requirements
of the PCI DSS and that we have implemented appropriate controls to protect cardholder

● SSAE 18 (SOC I) Type II – Storable also undergoes an annual SOC1 Type 2 audit which
is designed to ensure we have appropriate controls over financial reporting. This audit
focuses on Storable’s processes and controls that could impact our client’s internal
control over their financial reporting (ICFR). The examination helps ensure that both the
systems and personnel responsible for these controls are functioning properly.