Terms of Service and Liability
MSDC Service includes, but is not necessarily limited to, the development of a cloud-based provider website (“Provider Website”), and the provision of marketing services specifically outlined in our Proposal (collectively, the “Marketing Services”).
(i) Provider Website. MSDC will develop a cloud-based Provider Website for Client in accordance with the terms outlined in Proposal.
(ii) Marketing Services. MSDC will provide the Marketing Services indicated in the Proposal. Where applicable, MSDC will make the analytic report element of the Marketing Services (the “Analytics”) available to Client in accordance with these Terms and any other MSDC rules and policies then in effect. The Analytics allows Client to set up an account and password to access the Analytics. Client may authorize employees or subcontractors to use the Analytics on behalf of Client (each, a “User”); such Users are subject to these Terms, and Client agrees to be responsible for the actions of all Users who receive authorization to use the Service, including but not limited to their access to the Analytics.
(iii) Restrictions. Client will not, and will not permit or authorize third parties to: (a) rent, lease, resell or otherwise permit unauthorized third parties to access or use the Service; (b) reverse engineer, reverse assemble or otherwise attempt to discover the source code for any software made available as part of the Service; or (c) circumvent or disable any security or other technological features or measures of the Service.
(iv) Ownership of Website and Social Media Accounts Upon Termination. Upon termination of Agreement, You will retain ownership of the Website and we will transfer said Website to you per the terms outlined in the Proposal. All Social Media Accounts (AdWords, Facebook, Instagram, etc.) and Landing Page materials prepared by us on your behalf and account shall be owned by us and shall be our sole and exclusive property. Upon termination of this agreement, the Social Media Accounts set up on your behalf shall be closed and removed from our umbrella account.
MSDC employs a public cloud deployment model using both physical and virtualized resources for its main solutions (Microsite.com and Smart Tracking). All software maintenance and configuration activities are conducted by MSDC employees, remotely from our corporate office in Chicago.
All infrastructure responsibilities lay with MSDC, and customers are provided with functionality to manage their content, users, and roles at the application level.
MSDC follows guidance from the ISO/IEC 27002:2013 standard along with our 10 years of experience in operating highly secure web-based solutions to guide its security efforts. Additionally, MSDC employs industry standard practices for security controls such as firewalls, intrusion detection, and change management.
MSDC distributed architecture for data collection and processing allows it to scale horizontally as the number of customers and volume of traffic increase. MSDC uses multiple monitoring processes and tools to continuously track network resources, operating systems, applications and capacity. Systems are scaled up when predetermined capacity thresholds are reached.
Only authorized personnel can administer systems or perform security management and operational functions. Authorization for and implementation of changes are segregated responsibilities wherever appropriate to the organization.
Physical Security and Data Centers
MSDC Solutions infrastructure is physically located at the Rackspace US, Inc. facility in Dallas, Texas. This is a tier 3 data center, designed specifically for maximum security and availability. The data center has obtained a SOC (Service Organization Control) report or ISO 27001 certification, and employ industry best-practices, including badge and biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor this location 24 hours a day, 365 days a year. Only authorized personnel are allowed inside the data center and all accesses are logged.
A more complete description of Rackspace’s security management is here:
Microsite’s Security Management
MSDC Solutions infrastructure is managed by a team who employs industry best practices such as default deny rules for firewalls, intrusion detection systems and automated patch management. All key repeatable processes and security checks in MSDC production environment are either documented in procedures or implemented as automation scripts, and approved by management.
MSDC maintains and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration) are tracked and implemented by a dedicated team.
All deployments into production or change to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and approved by the change management meeting team prior to implementation.
MSDC relies on well-defined processes, disciplined execution and continual training of staff.
Protection Against Malware
All Linux production external-facing web servers have anti-malware software installed and are scanned weekly; and all deployed code is scanned for malware daily.
MSDC strictly prohibits customers accessing servers via FTP or SFTP and therefore does not allow uploading of WordPress or other third-party plugins or software via either method. MSDC reserves the right to review any customer request to add any third-party plugins or software. Any plugin or software allowed under MSDC policy meets the highest standard of security compliance and is approved by Sucuri Inc., a highly respected security firm.
Customer Data Security
All data and files provided by customers to MSDC remain the property of the respective customers and are classified as highly confidential under MSDC’s information classification policy. Access to customer data and files is restricted to legitimate business use only.
MSDC Information Security and Access Policy prohibits copying customer data on removable media devices, including flash drives, hard drives, tapes or other media, other than for legitimate business purposes and with the express authorization from the customer. This authorization can be contingent on encryption being used.
Password complexity rules are enforced in all environments to protect against brute force dictionary or other passwords threats.
Accesses to resources are controlled by explicit roles in all environments. Employees are given appropriate accounts on systems which they are authorized to access following the “least privilege” principle.
Access to customer data is limited to legitimate business need, including activities required to support customers’ use of the MSDC Solutions. Employees may only access resources relevant to their work duties.
Sensitive Data Prohibited
MSDC maintains appropriate security breach notification processes in alignment with the various US state laws pertaining to consumer privacy.
MSDC prohibits the use of its Solutions to collect, process and store sensitive data.
MSDC Operations uses an industry standard enterprise application management solution to monitor systems, trigger alerts based on event logs, and to facilitate alerting, trend analysis, and risk assessment.
24×7 monitoring of critical network events with intrusion detection system (IDS) and log aggregation systems gives MSDC Operations the ability to identify and address any unauthorized access to assets (including access to customer data) within the production network.
Alerting is in place to notify MSDC Operations team of any issue. Escalation procedures exist to ensure the timely communication of significant security incidents through the management chain and ultimately to any affected customer.
Security in Development and Support Process
MSDC follows an agile development methodology in which products are deployed on an iterative, rapid release cycle. Security and security testing are implemented throughout the entire software development methodology.
MSDC Website Solution relies on WordPress, and acknowledges its dependency on WordPress’ security practices and updates. MSDC also uses third-party components, plugins, and APIs. All use of open source software is subject to technical and legal review and approval.
Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities. Our main test areas include volume, stress, security, performance, resource usage, configuration, compatibility, installation, and recovery testing.
MSDC uses both internal and third-party security vulnerability scans, including those provided by Sucuri Inc.
Data Backup and Recovery
MSDC stores all customer data in the cloud-based production environment on fully redundant storage systems, and utilizes a multi-tiered backup approach. Daily and intraday data is backed up on a scheduled basis to separate near-line storage devices and/or backup media.
All backups are stored in secure containers and transferred offsite weekly for storage in a secure, environmentally controlled, reputable third-party data archive facility per Rackspace policy and procedures.
All backup files are retained for 30 days. During that time, MSDC maintains the ability to recover and reinstall backed up files on an as-needed basis.
MSDC business continuity planning (BCP) and disaster recovery (DR) activities prioritize critical functions supporting the delivery of its cloud-based Solutions to its customers.
A system-level failure, for any component in the MSDC Solutions environment, is easily identified and resolved through both MSDC and Rackspace 24×7 monitoring systems. When monitoring detects a failure, failed systems are automatically removed from the production environment, and the operations team is alerted and resolves the issue or escalates to the appropriate vendor as needed.
All servers and databases are backed up with Image Snapshot. The snapshot contains all files and data that are located on the servers. It also contains the configured OS and services that MSDC has loaded. Any server can be quickly rebuilt with the particular OS and stack that had been installed along with all the data from the previous snapshot to minimize downtime.