Trusting Nectar: A Security Whitepaper

Overview:

1. Our Intentions
2. Our Product
3. Considering Nectar as a Vendor
4. Our Actions

Our Intentions

We want to build and maintain the highest levels of trust with our customers and we want to show that we are proactive data stewards and are as transparent as possible. We want to implement any industry best-practice standard that helps move the needle - whether security and/or compliance related.

It is essential for Nectar, as a brand and company, to be secure and comply with industry best-practice security & compliance frameworks; thus, we build these controls into our systems, processes, and culture. We understand you are trusting us with your data and we take the responsibility of securing it extremely seriously.

Our Product

Overview of how the Nectar product works:
Overview of the internet traffic interfacing with the Nectar product:

Considering Nectar as a Vendor

Photo
1. Nectar is a low risk vendor for our customers from a data sensitivity, confidentiality, and integrity perspective
The only category of personal data collected by Nectar, for use by its product features and as a service provider on behalf of its customers, is non-sensitive personally identifiable information (“PII”) of our application users
  • Name (required: first and last, optional: middle and preferred name)
  • Work email (purpose: primary identifier of a user account, used for login)
  • (optional) Day and month of birthday - NOT year (purpose: for elected birthday reminders/shoutouts)
  • (optional) Physical address&phone number (purpose: some elected rewards need a delivery address and phone number of deliveree)
We do NOT store, transfer, or sell any data related to the following categories
  • Sensitive PII (e.g. driver’s license, Social Security number, full legal name, bank account number(s), passport, birth certificate, etc.).
  • PCI (i.e. payment cards; all credit card payments paid to Nectar go directly through Stripe, our payment processing partner. Details about their security posture and PCI compliance can be found at Stripe’s Security page.)
  • HIPAA (i.e. health and medical information)
  • FedRAMP (i.e. government data)
  • SOX (i.e. financial reporting & integrity)
Security controls and policies surrounding data confidentiality & integrity
  • Encryption in transit (no data is transferred unencrypted in our platform; we support TLS 1.2 at a minimum as well as TLS 1.3)
  • Encryption at rest (all data is stored in Google Cloud Platform (“GCP”) encrypted by default with a minimum strength of AES-256)
  • Authentication (single sign on (“SSO”)) & authorization (role based access control (“RBAC”)) within the Nectar customer-facing platform
  • SSO + RBAC + “least privilege” for infrastructure/admin internal consoles (e.g. Amazon Web Services (“AWS”), GCP, Cloudflare)
  • Firewalls (a Web Application Firewall (“WAF”) using Cloudflare, and a firewall in front of internal infrastructure such as databases; we have no public-facing databases)
  • GCP or AWS fully-managed infrastructure; no self-maintained infrastructure (we do not run specific compute instances, nor do we host our own physical datacenter)
  • Platform Change Management process (software development lifecycle (“SDLC”)), including change full auditability, and peer review process
  • Incident Management process, including non-repudiation/auditability and real-time detection & alerting using Cloudflare and Datadog
  • RTO of 24 hours, RPO of 24 hours (we practice disaster recovery scenarios where we are able to recover within 24 hours; we also are highly-available and redundant across several regions with an availability zone and each database has a failover replica running)
  • Information Security Program, including internal threat modeling, penetration testing, vulnerability scanning, annual external penetration testing, and a Risk Management program
2. Nectar is a low risk vendor for our customers from an “Availability” perspective
Our uptime historically has been 99.95%. We are very committed to high uptime, low error rates, and low latency.
3. Security & Compliance Frameworks
  • GDPR, CCPA/CPRA (processor and service provider compliant, non-audited)
  • SOC 2 (imminent, in 2023)
  • NIST CSF (elected, part of risk management efforts)
Photo

Our Actions

Our actions prove our intentions; here are measures we have taken to establish a strong security & compliance posture:

  1. We are compliant with industry standard frameworks, particularly those regarding data handling and data security. As a processor and service provider of our customers, Nectar has exercised good-faith efforts to be GDPR and CCPA compliant (unaudited) since 2020. In addition, Nectar’s security and compliance measures are materially consistent with other U.S. consumer privacy and data security laws (including those effective as of 2023, such as CPRA and VCDPA). During 2022 and 2023 we have been investing heavily into our security and compliance postures, and that includes being SOC 2 compliant in the first half of 2023. While we do not have a SOC 2 report yet in hand, we are currently compliant with ~85% of the practices.
  2. We pay for industry best-in-class security & compliance automation tools (Drata) to help with continual monitoring and improvement regarding both required (i.e. SOC 2) and elective frameworks (i.e. NIST CSF (National Institute of Standards and Technology (“NIST”) Cybersecurity Framework (“CSF”)). We refer to these controls and associated alerts weekly, if not daily.
  3. Nectar has developed a comprehensive set of security policies that cover a range of topics. These policies are live documents that are shared with each employee regularly, dictate the security & data handling training of our employees, guide product and data decisions, and are peer reviewed by our legal team frequently.

The remainder of this paper will address point #3 in detail, describe our policies and how they match practice, and ideally show that, overall, we take reasonable steps to ensure the confidentiality, integrity, and reliability (availability) of your data and platform experience.

Data Handling

As previously mentioned, GDPR and U.S. privacy (including CCPA/CPRA) compliance is a priority to us. Though we are not a company located in the EU nor California, we do business with many customers who in turn have users that are located or do business in said locations. The types of data, our data subprocessors (vendors we use), how data is collected and handled, and similar topics can be found within the following legal documents (and are signed when starting business with Nectar). A summary of some of this information was provided in the “Choosing Nectar as a Vendor” section previously.

  1. Our DPA can be found here under section 3.4.ii: https://nectarhr.com/msa
  2. Our Privacy Policy can be found here: https://nectarhr.com/privacy-policy
  3. Our Terms of Service can be found here: https://nectarhr.com/terms
  4. Our Master Services Agreement (“MSA”) can be found here: https://nectarhr.com/msa

Data Centers

Our application and data are hosted and managed within Google Cloud Platform (GCP) secure data centers. These data centers have been accredited under:

  1. ISO 9001:2015
  2. ISO/IEC 27001
  3. ISO/IEC 27017
  4. ISO/IEC 27018
  5. ISO/IEC 27110
  6. ISO/IEC 27701
  7. SOC 1
  8. SOC 2
  9. SOC 3

We make extensive use of the capabilities and services provided by GCP to increase privacy and control network access throughout our system. Documents that provide more details about GCP security are available at Google Security Whitepaper.

We use Google and AWS fully-managed infrastructure, and don’t use self-maintained infrastructure; in other words, we transfer the risk of running our own infrastructure to AWS and GCP - we use their fully managed services, such as GCP GKE Autopilot, GCP CloudSQL, AWS SQS, and AWS Transfer (SFTP integration). We do not run specific compute instances, nor do we host our own physical datacenter. We manage our own containers, software, and runtime processes.

We use encryption in transit (no data is transferred unencrypted in our platform; we support TLS 1.2 at a minimum as well as TLS 1.3) and encryption at rest (all data is stored in Google Cloud Platform (“GCP”) encrypted by default with a minimum strength of AES-256). We use firewalls - both a Cloudflare WAF and at the database layer to ensure our database is not publicly accessible.

Data Backups

We maintain encrypted backups for one month, and we are able to restore data to any exact point-in-time within the past month if needed. We perform daily backups. Backup data is fully expunged after one month. As per GDPR and CCPA, we are able to provide our users with create, read, update, delete (“CRUD”) functionality in regards to their data, as well as providing transparency into what data is collected with the ability to opt out (i.e. stop using the Nectar application).

Most compliance frameworks we are familiar with do not require a specific timeframe regarding data backups; some countries require specific days, but a lot err on the side of MAX retention only. With this in mind:

We feel we are being reasonable with a 30 day data retention practice, as our RPO policy is 24 hours; thus we provide many extra days in the case of severe emergencies to go back and recover data from within the last month. We frequently simulate a disaster recovery scenario where we are able to recover within 24 hours.

Our log retention is set to 15 days for a similar reason; our RTO is 24 hours, thus we provide many extra days in the case of severe emergencies to go back and examine issues and audit trails in our platform through logs. We have not had a customer support issue where we were unaware of an issue for more than 15 days that we could not find sufficient logging/auditing for. We use Datadog to collect, search, and manage logs as well as security events.

Employee Security Training & Verification

Nectar has mandatory, regular security training programs for all Nectar employees. All security-related policies are mandatory to read and accept. Nectar also has all employees sign confidentiality agreements and we conduct appropriate background and/or verification checks.

On the technology controls side, though we do not handle any sensitive data (as previously mentioned), we still follow the principle of “least privilege” and implement helpful technological controls including RBAC to prevent unnecessary access amongst our employees. We use Jamf as a mobile device management (“MDM”) solution so that we can ensure controls such as an anti-virus software running, locking employee screens, and ability to remotely wipe devices.

Information Security & Risk Management Programs

Our Information Security and Risk Management programs are a set of policies, practices, controls, and key performance indicators (“KPI”s) that give an accurate assessment of Nectar’s risk posture, in regards to security, compliance, legal liability, etc. Our most critical asset is data, and not all data is equally important; our Information Security roadmap starts and ends with understanding, managing, and securing our data.

We emphasize internal threat modeling and penetration testing and vulnerability scanning to identify (and then remediate) risks. External penetration testing compliments our internal efforts. Incident Management is a top priority, particularly our non-repudiation efforts.

Through our use of KPIs, we can measure how we’re moving the needle over time. We take a very practical approach and prioritize actual security over simply “check the box” activities. Example KPIs include NIST CSF compliance, a framework we chose to use as a best-practice to help us see the effectiveness of our policies and practices, and how well policy matches practice.

Authentication & Authorization

Nectar supports several secure SSO standards, including SAML, PingIdentity, OpenID, Azure, etc. This is the preferred product authentication method. Retry-limited username+password logins are also supported. These passwords are never transferred or stored in a form that can be read in plain text (hashed). Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity. We enforce password complexity requirements.

We provide multiple user roles with different permissions levels within the product. Roles vary from account admins to users and thus follow the principle of least privilege and RBAC.

For Nectar infrastructure, we require ourselves to use Google SSO and MFA on our tooling, such as GCP, AWS, Cloudflare, Datadog, etc. Again, we follow the principle of “least privilege” and implement helpful technological controls including RBAC.

Production database access (aside from the user web application) is limited to the CTO and a handful of senior engineers to administer it. They are whitelisted on our firewall and are the only personnel who may access the database directly, which still requires username+password authentication, using passwords with a minimum length of 12 characters and a combination of numbers, letters, and upper-case numbers.

Failover and disaster recovery

Nectar is built with fault tolerance capability and is highly-available. Each of our services is fully redundant with replication, failover, and backups. Services are distributed across multiple GCP availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures. Our historical uptime has been 99.95%.

Disclosure

If you have any concerns or discover a security issue, please email us at security@nectarhr.com and we will quickly investigate. We request that you do not publicly disclose any issue you discovered until after we have addressed it.