Security Measures

Our Security Measures

LAST UPDATE: January 17, 2025

Price for Profit LLC d/b/a INSIGHT2PROFIT (“INSIGHT”), when providing services to a client (“Client”) will utilize the following security measures to protect information, materials, and data of Client provided to INSIGHT in furtherance of INSIGHT’s provision of such services (“Client Data”):

Software Development

  1. All software engineers receive software security training that covers security best practices including OWASP Top Ten and Mobile Security best practices.
  2. Use of static and dynamic code analysis tools to analyze code for security vulnerabilities.
  3. All source code is developed in accordance with an internal Secure Development Policy and Secure Coding Standard that require:
    1. A secure Software Development Lifecycle (SDLC);
    2. Software and Security code review before being promoted to production use;
    3. Running through a continuous integration test suite
    4. Change management procedures;
    5. Manual quality assurance testing; and
    6. Built-in controls to protect from the OWASP Top Ten and other known security threats

Hosting Environment

INSIGHT’s infrastructure employs the use of several carrier class data centers all of which offer high availability and are compliant with the following security standards:

  1. ISO 127001
  2. SOC 2
  3. SSAE-16
  4. SSAE-18
  5. HITRUST
  6. HIPAA
  7. PCI-DSS
  8. SOX

Secure Configuration

INSIGHT has implemented and maintains secure configuration standards for hardware and software, including networking devices, operating systems, databases, applications and administrative systems.

Confidentiality

  1. Client Data is not made available or disclosed contrary to the terms and conditions of the agreements entered into between Client and INSIGHT.
  2. Client Data is processed only in accordance with the terms and conditions of the agreements entered into between Client and INSIGHT and only as required for the performance of the services.
  3. INSIGHT ensures that all employees, agents, sub-processors, and representatives likely to handle Client Data are under a duty of confidentiality, receive appropriate security awareness training, and have undergone a background check.

Client Data

To protect Client Data, INSIGHT takes the following handling precautions:

  1. Client Data may only be stored on INSIGHT managed equipment which is subject to system hardening and security compliance requirements.
  2. Client Data is never stored on transportable media such as USB drives, portable hard drives, or writable discs.
  3. The retention period for Client Data will not exceed ninety (90) days after the expiration of the Agreement unless the Agreement specifies otherwise or if an exception has been issued permitting a longer or shorter retention time.
  4. At the end of the retention period, Client Data will be destroyed or disposed of in a secure manner as outlined by INSIGHT unless a documented exception was previously approved.
  5. Client Data will undergo daily backups to ensure the availability of data in case of disaster.

Passwords and Encryption

All Client Data is encrypted (TLS 1.2 or greater) to prevent unauthorized access and access to such Client Data is protected by various authentication controls.

Security Monitoring and Incident Response

INSIGHT monitors its applications, networks, infrastructure, data, and other digital assets to identify anomalies and potentially malicious activity.

If INSIGHT becomes aware of unauthorized access or disclosure of Client Data under its control, INSIGHT will adhere to the procedures described in its Incident Response Plan. This will include notification to the respective Client(s), informing them of the security incident.

Security Audit

  1. INSIGHT executes internal security audits in accordance with its internal audit policies and procedures.
  2. INSIGHT contracts with an external security provider for annual penetration testing, application testing, and general security assessments.
  3. Any findings identified in an audit will be remediated in accordance with INSIGHT’s Vulnerability Management Policy.
  4. Verification and attestation of remediation are verified by INSIGHT’s external security provider.

Access Control

Access to Client Data is restricted pursuant to INSIGHT’s internal access control policies and procedures. Authorized personnel will be permitted to access Client Data only to the extent necessary for the performance of their duties.

Secure access control principles and best practices will be utilized, including but not limited to:

  1. Strict password requirements
  2. Multi-Factor Authentication (MFA)
  3. Principle of Least Privilege (PoLP)

Vulnerability Management

INSIGHT has vulnerability and patch management processes for all software and hardware. All servers and workstations are scanned by INSIGHT for vulnerabilities on a continuous basis and vulnerabilities are remediated in accordance with INSIGHT’s Vulnerability Management Policy.

Inventory of Information Assets

INSIGHT maintains a detailed inventory of information assets complete and accurate with classification and criticality through the combination of manual and automated systems.

Malware Defenses

Malware protection is deployed and monitored for all INSIGHT workstations, servers, email, and mobile devices leveraging advanced anti-malware technology.

Data Loss Prevention

INSIGHT deploys data loss prevention monitoring to prevent and detect unauthorized data movements.

Perimeter Defense

INSIGHT deploys a multilayered perimeter defense by use of firewalls, proxies, network segmentation, IPS/IDS and DMZs.

Third Party Management

INSIGHT deploys a third-party management program that appropriately vets potential new third party vendors, software, and services to validate the third party’s adherence to security best practices and standards.