Organization Email Address
To prevent access to your network’s data, an organization email address is required to create a NationalField account. A network administrator determines the list of accepted organization domains. User accounts can be disabled at anytime by a network admin. If a user no longer has access to an organization email address, s/he cannot access or rejoin the network.
Every user account on NationalField is secured with a password. Password policies are in place to encourage users to create strong passwords.
In Q3 2012 2-step verification will be available to all user accounts using Google Authenticator on Android, iPhone, iPod Touch, iPad, and BlackBerry devices. This added security requires two steps before a user can login to NationalField: (1) a password – something the user knows, and (2) a code obtained using their phone – something the user has. This additional protection makes user accounts significantly more secure by verifying that the user is the proper owner of the account.
Advanced Role-based Permissions
NationalField is built with advanced role-based permissions allowing network administrators to control the security of information and data in the network. Nearly all functionality can be controlled via a role-based permission. Combined with the org chart, access to information can further be controlled by where a user resides inside the organization. Administrators have access to role-based permissions for ongoing auditing purposes.
Each NationalField network has an administrator who can deactivate user accounts, monitor content, remove offensive or abusive content, edit role-based permissions, create and manage groups, provision domain names, create and manage Apps, send Announcements to everyone in the organization, create custom profile fields, backup network data for eDiscovery, and more.
Secure Socket Layer (SSL) Encryption
When a user connects to NationalField, the connection between their device (computer, phone, tablet) and our servers is handled via 256-bit secure socket layer technology (SSL). Connections are only possible via HTTPS – any attempt to connect via HTTP will automatically reroute to HTTPS.
Access to NationalField can be limited to specific IP ranges to prevent access to your network outside of authorized physical locations or VPN networks.
Data Center Security
NationalField is hosted in data centers provided by a SAS70 Type II and ISO 27001 compliant provider. Data is physically stored in the United States of America but conforms to US-EU Safe Harbour guidelines.
NationalField uses hardened Linux servers. Security updates are typically installed within one month of release by a senior systems administrator. Activity on root systems is logged for review by senior systems administrator.
All software updates are managed by NationalField. Customers do not need to install or maintain any hardware or software. Application releases with new features, security updates, and bug fixes are pushed on an ongoing basis. New features are rolled out to a subset of users before wide release. Network administrators receive an email with release notes before each release.
Data Backup and Disaster Recovery
Backups and snapshots of customer databases occur daily and are maintained for 30 days. Backups are stored in geographically separate sites, and access is restricted to employees whose job requires such access. If a network is permanently deleted, we do not retroactively delete network data from backups since we may need to restore customer data from a backup in case it were accidentally removed.
Files are replicated and served from a globally distributed network of 26 data centers. Redundant load balancers, application servers, and database servers are deployed to ensure at least 99.9% availability in any calendar month. Realtime server status can be monitored at http://status.nationalfield.org
The application conforms to an RPO (Recovery Point Objective) of one day and a RTO (Recovery Time Objective) of one day.
Firewall and router policies are set to “deny all” by default. Access to all servers is restricted to approved services and IP ranges. Authentication to systems that contain or can access customer data occur only through cryptographic encryption keys which are changed periodically. Network penetration and vulnerability scans are run at least annually.
All of our software applications are developed based on industry best practices and include information security throughout the entire development lifecycle. Strict automated and manual testing occurs before each release. Every line of code that is added or changed in a release is peer reviewed. We maintain separate development, test, and production environments.
Barriers between Networks
Customer data is stored in separate logical locations for each network. This low-level barrier exist to prevent access to other networks, even in the event of an application error.
Penetration Testing by Customers
We take security very seriously. Section 1.3 of our Terms (https://www.nationalfield.com/terms/) states that “Customer shall not … (iii) interfere with or disrupt the integrity or performance of the Company Software or the data contained therein; or (iv) attempt to gain unauthorized access to the Company Software or its related systems or networks.” Penetration and vulnerability testing are often indistinguishable from security threats and therefore violate these Terms. At this time, our policies do not allow for exceptions.
Mobile App Security
All data is transferred over HTTPS. The user’s API token may be stored on disk so the user doesn’t have to log in each time. The token does not hold any personally identifiable information or passwords. There are currently no plans to store other data on disk via the mobile app.
Standard Operating Procedures (SOP)
Information Security Policies
NationalField employees are trained and agree to their role in securing customer data. The senior systems administrator establishes and distributes these policies in coordination with the Chief Technology Officer and maintains a system for monitoring security threats and alerts.
Section 1.7 of our Terms (https://www.nationalfield.com/terms/) states that the Customer and its Authorized Users shall own all rights, title and interest in the Customer Data.
US-EU Safe Harbour Compliance
NationalField complies with the U.S.-EU Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. NationalField has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.
Incident Response Plan
The senior systems administrator is responsible for establishing an incident response plan that provides for notification of any security incidents. This plan includes protocols for assessing any potential breach’s impact on customer data and steps for customer data backup and recovery and notification to customers who may have been impacted.
Customer support is offered via three primary solutions: (1) our online knowledge base provides help documentation for common issues and frequently asked questions, (2) email support is available at firstname.lastname@example.org, and (3) via a “Help” link inside the application which allows a user to submit a support ticket. Enterprise customers receive a dedicated customer support manager who can field questions about non-technical issues and help customers realize the full benefits of NationalField.