Sift Trust & Safety
Sift’s mission is to help everyone trust the internet. As such, trust and safety are core to our business. We are committed to safeguarding the data and information that is shared with us when we provide our fraud and abuse prevention services to our customers and their end users.
Table of contents
Security
Below are some of the technical and organizational measures we take to protect the personal data processed within our services systems.
Program
- Sift maintains a team of dedicated security, privacy, and compliance professionals to develop, plan, and implement Sift’s ever improving security program.
- Information security policies require review and assessment of potential security threats, and risks with senior leadership on a regular basis.
- Employees receive privacy and security awareness training.
Network and transmission
- Sift uses industry standard encryption for personal data stored at rest within our services systems.
- We require TLS 1.2+ for the transfer of data between us and our customers over public networks.
- Authentication processes employ standardized protocols, which include verifying user credentials with a third-party single sign-on (SSO) provider.
Data management
- Customer data is logically segregated and controlled with strict access controls; access logs are monitored.
Access controls and logging
- Access is managed through role-based access controls which adhere to the principle of least privilege. Access reviews are conducted regularly.
- Network access controls include security groups to enable appropriate access to our systems.
- Security events and audit logs are forwarded to a central Security Information and Event Management (SIEM) solution for monitoring and investigation.
Security assessments
- We conduct routine vulnerability scans of our services systems.
- We engage independent third parties to conduct various reviews, tests, and audits of our services systems, including:
- Penetration tests.
- Auditing against various SOC2 Type 2 trust principles.
- Auditing controls for certification under ISO 27001 for Sift products and services.
Business continuity and availability and incident response
- Our systems are housed across multiple availability zones.
- Business continuity and disaster recovery plans are maintained and regularly validated.
- Incident response plans include roles, responsibilities, and procedures to classify incidents and respond to security incidents.
Vulnerability reporting
To submit a vulnerability report to Sift’s Security Team, please email [email protected] following the guidelines below:
- Provide well-written reports that clearly describe and demonstrate the vulnerability.
- If possible, include proof-of-concept code to help us better assess the finding.
- Avoid submitting reports that contain only crash dumps or automated tool output, as these may receive lower priority.
- Include information on how you discovered the bug, its impact, and any suggestions for remediation.
Certifications and audits
We engage with independent third parties to test and audit the core systems Sift uses for our products and services, in order to demonstrate our commitment to protecting and securing the data entrusted to us.
SOC 2 Type II
Sift works with an independent third-party auditor to assess certain Trust Service Criteria (TSC) for its annual SOC 2 Type II report. Developed by the AICPA, the SOC 2 report provides detailed information about an organization’s suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems.
ISO 27001
ISO/IEC 27001 is a standard for organizations to assess their information security management systems (ISMS). Certification against the standard demonstrates security controls have been implemented, are monitored, maintained, and the organization continually monitors the ISMS to improve the program. It also prescribes a set of best practices that include documentation requirements, divisions of responsibility, availability, access control, security, auditing, and corrective and preventive measures. Sift engages an independent third- party auditor to assess its controls against the ISO 27001 framework, and has been certified to ISO/IEC 27001:2013 with respect to the ISMS for its products and services.
Privacy
Service privacy notice
This notice describes how Sift collects, uses, and protects our customer data.
Website privacy notice
This notice explains how we collect, use, and protect data in connection with the use of our website, as well as with our events, sales, and marketing activities. or as it pertains to any visitors to our offices.
Website cookie notice
This notice describes Sift’s use of cookies and similar technologies on our website, and how an individual may be able to refuse or delete these tools.
How our services work for end-users
This document provides an overview of how Sift’s fraud and abuse prevention services work from the perspective of a consumer, so that online businesses can focus on safely delivering their services to their customers.
Please contact our Support team at [email protected] for our data protection addendum, or to obtain more information on how we comply with various data protection regulations as they relate to Sift’s services.