Project Insight Hosted Security
Project Insight’s hosted, cloud security is top notch. We provide transparency about our strong security levels and procedures for your review here.
Uptime Rate
Project Insight has a guaranteed system availability of 99% of total hours per month, excluding planned maintenance. However, Project Insight's actual uptime rates have been:
2018 -99.998%
2017 - 99.945%
2016 - 99.992%
2015 - 99.995%
2014 - 99.984%
2013 - 99.997%
2011 - 99.994%
2010 - 99.997%
2009 - 99.994%
2008 - 99.984%
Application Standard Maintenance
Project Insight performs regularly scheduled maintenance for infrastructure updates such as firmware, the operating system and database software. Maintenance is also scheduled as needed for application software updates and patches.
Standard maintenance
windows
Project
Insight observes standard maintenance windows. The system may be down for a
short period during these standard windows - Application Maintenance Windows
System status
Project Insight posts all planned and unplanned events on the DevOps System Status page. If you are experiencing an outage or slow down, go the link for updates.
Email notification of system status
If the system is experiencing a slow down or outage, we will post to the DevOps System Status page first. When we have more information about the issues or cause of the issue, we email the Designated Support Contacts of our customers. This email reminds customers to re-visit the DevOps posts for updates.
Data Center Facilities
Project Insight offers two hosted options:
Level 3 Communications
Level 3 is where our multi-tenant SaaS clients are hosted.
Level 3 Communications is SSAE16/ SAS70 compliant by performing all activities and having controls in place necessary to be compliant to the standard, but have not proactively had their facilities certified by external auditors. This is due to the variability of requirements as well as the very high cost to certify over 200 sites.
Microsoft Azure
Microsoft Azure is where our Dedicated Instance clients are hosted. A Dedicated Instance allows clients the ability to access their database for additional reporting through database queries, as well as the option to use the developer's toolkits, including the SDK.
The Azure sites are SSAE 16 certified. For more information about security:
Azure Security
Azure Compliance
We offer Azure instances globally. See the link for worldwide locations.
Azure Worldwide Locations
Microsoft Government Azure
Project Insight can also set up your instance on a Microsoft Government Azure platform which includes most certifications needed to fulfill government requirements.
Downtime Procedures
Project Insight has internal team members on 24/7 notification at all times. If a server goes offline, the team is notified via mobile phone. They coordinate and immediately execute the action plan to restore all services.
Single Sign On
Project Insight can be configured by administrators to require Single Sign On (SSO). Project Insight supports any SSO provider capable of SAML 2.0, including Window ADFS.
Application Administration Security
Project Insight administrators may increase application security using security settings inside the software including:
-Login session timeout
-Disable remember username on login
-Disable remember username of mobile login
-Control browser password auto-complete on login and mobile
-Determine password strength and requirements
-Lockout users after failed login attempts
-Set a password expiration period
-Disallow re-use of previous passwords
Data Facility Access
Data facilities are in unmarked buildings with locked, secure access from the outside. Each data center has a separate 'cage' which is locked and only Project Insight has the keys.
Only Project Insight employees may access the data centers, no third parties or non-employees are allowed. All employees that access the data centers are background checked. If a customer would like access to the Dedicated Instance, that is possible from remote with additional fees.
All new employees must sign a terms and conditions agreement upon initial hire. Employees are trained on all internal security policies, at a minimum, once every twelve months. Compliance to all security policies by employees is a condition of employment. Non-compliance will result in termination of employment.
Background Checks
Any personnel that have access to our data center and/or your data undergo a rigorous federal and state background check before accessing any data facility. The number of staff that has access is very limited.
Data Backups
Your data in our hosted facility is backed up every hour of every day. Backups of supporting files are continuously backed up, with an additional daily incremental back up. A full database backup is conducted once per day. Backups are located in a safe in a secure location separate from the data center.
If the facility is destroyed in some way, we will use secondary facilities, including Azure or Amazon services. Backups are always fully encrypted. It would take one day to restore if we had to put all data in the secondary facility.
If customers would like periodic data back ups, our Professional Services team can help. Call your customer success contact for details and pricing.
Disaster Recovery Plan
Project Insight has a disaster recovery plan which includes step by step instructions for completely installing and restoring the Project Insight system. This plan is accessible only to authorized Project Insight personnel. The plan is not published publicly as there is sensitive information within the plan that may compromise the security of the hosted or cloud environment.
Data Encryption
All data is transmitted via Secure Socket Layer (SSL) and therefore encrypted as it passes over the internet. All user credentials are hashed. Data is not encrypted at rest.Customers may opt to use their own SSL. For more information on this, go to:
Self Assigned SSL Certificate
Data Restoration
In the event of a complete catastrophe, Project Insight is prepared to be restored within 72 hours of a total data center failure. Project Insight asks for forty five (45) days from catastrophe to recover to standard service level agreement (SLA) levels.
Escrow Policy
Project Insight offers its customers an optional escrow program. Should an event occur that renders the organization insolvent, customers that have signed up for the escrow program will be able to access the complete software application and source code from the escrow provider. This third party escrow company possesses the entire application and source code in escrow.
Seizure of Data
In the unlikely event that a governmental, regulatory body or court order requires us to disclose customer data, Project Insight will provide advance notice to the customer, then disclose the information as required by law. Disclosure will be limited to the minimum extent required to comply with such regulation or order.
Removal of Customer Data upon Contract Cancellation
If a customer chooses not to renew service with Project Insight, the service is cancelled and the customer data is deleted within six weeks of cancellation.
Data Extraction Services
Customers may request a copy of their data be extracted and sent to them. This involves Professional Services and is performed for a fee.
Hardware Erasure and Destruction
Data is destroyed both through complete US DoD erasure and physical destruction of the media. In the less common occurrence of a media failure, it is performed by physical destruction only.
Insurance
Project Insight has insurance coverage in many areas, including technology, media and professional services.
U.S. Based
Many customers have government restrictions that they need to follow regulations like ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations). All of Project Insight's developers are located in the U.S. The technical support team is located in the U.S. The multi-tenant SaaS edition and all of its back ups are located in the U.S. Also, a dedicated Azure instance may be set up in any U.S. location. All of our team members that have access to our hosted data farms are U.S. citizens or valid green card holders and have been security-screened.