Circle Security Policy Statement
Last Updated: July 12, 2022
This Circle Security Policy Statement (this “Policy”) is incorporated into and made a part of the CPSA between Circle the People Inc. and its Affiliates and Customer and its Affiliates and Users covering Customer’s use of the Services.
1. Definitions. Capitalized terms used but not defined herein shall have the meanings assigned thereto in the Circle Primary Services Agreement (the “CPSA”).
2. Purpose. This Policy describes Circle’s security program and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Services. As security threats change, Circle will continue to update its security program and strategy to help protect Customer Data and the Services. As such, Circle reserves the right to update this Policy from time-to-time; provided, however, any update will not materially reduce the overall protections set forth in this Policy. Updates and the current terms of this Policy are available at https://www.circlethepoeple.com/company. This Policy does not apply to any (a) Services that are identified as alpha, beta, not generally available, limited release, developer preview, or any similar Services offered by Circle, or (b) communications services provided by telecommunications and internet services providers.
3. Security Organization and Program. Circle maintains a risk-based assessment security program. The framework for Circle’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Circle’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Circle’s business operations. Circle will have dedicated information security personnel that manage Circle’s security program. We will also facilitate and support independent audits and assessments of our systems and processes conducted by third parties. Security is managed at the highest levels of the company, with Circle’s CEO acting as the company’s Chief Information Security Officer (CISO) meeting with other management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Circle employees for their reference.
4. Confidentiality. Circle has controls in place to maintain the confidentiality of Customer Data in accordance with the CPSA and Documentation. All Circle employees and contract personnel are bound by Circle’s internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
5. People Security.
5.1. Employee Background Checks. Circle performs background checks on all new employees at the time of hire in accordance with applicable local laws. Circle currently verifies a new employee’s education and previous employment and may perform reference checks. Where permitted by applicable law, Circle may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.
5.2. Employee Training. At least once (1) per year, Circle employees must complete a security and privacy training which covers Circle’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Circle’s security personnel also performs phishing awareness campaigns and communicates emerging threats to employees. Circle will establish an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.
6. Third Party Vendor Management
6.1. Vendor Assessment. Circle may use third party vendors to provide all or any portion of the Services. Circle carries out a security risk-based assessment of prospective vendors before working with them to validate they meet Circle’s security requirements. Circle periodically reviews each vendor considering Circle’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal or regulatory requirements. Circle ensures that Customer Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication and internet service providers are not considered subcontractors or third-party vendors of Circle.
6.2 Vendor Agreements. Circle enters into written agreements with all vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
7. Hosting Architecture and Data Segregation.
7.1. Amazon Web Services Platform. The Services are hosted on Amazon Web Services (“AWS”) in the United States of America and protected by the security and environmental controls of Amazon. The production environment within AWS where the Services and Customer Data are hosted are logically isolated in a Virtual Private Cloud (VPC). Customer Data stored within AWS is always encrypted. AWS does not have access to unencrypted Customer Data. Information about AWS security is available at https://aws.amazon.com/security/.
7.2. Services. For the Services, all network access is restricted, using access control lists to allow only authorized services to interact in the production network. Access control lists are reviewed regularly. Circle separates Customer Data using logical identifiers. Customer Data is tagged with a unique Customer identifier that is assigned to segregate Customer Data ownership. The Circle APIs are designed and built to identify and allow authorized access only to and from Customer Data identified with customer specific tags. These controls prevent other Customers from having access to unrelated Customer Data.
8. Physical Security. AWS data centers are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. We understand that authorized staff must pass two-factor authentication (2FA) minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four hours a day, seven days a week (24/7). Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Circle headquarters and office spaces have a physical security program that manages visitors, building entrances, and overall office security. All employees, contractors, and visitors are required to wear identification badges.
9. Security by Design. Circle follows security by design principles when it designs the Services. Circle also performs numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities may include, but are not limited to, the performance of (a) internal security reviews before deploying new Services or code; (b) penetration tests of new Services by independent third parties; and (c) threat models for new Services to detect potential security threats and vulnerabilities.
10. Access Controls.
10.1 Provisioning Access. To minimize the risk of data exposure, Circle follows the principles of least privilege when provisioning system access. Circle personnel are authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires approval. Access rights to production environments that are not time-based are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. To access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal training for such access including training on the relevant team’s systems. Circle leverages automation to identify any deviation from internal technical standards that could indicate anomalous or unauthorized activity to raise an alert within minutes of a configuration change.
10.2. Password Controls. Circle’s current policy for employee password management is to utilize longer passwords, with multi-factor authentication, which may include special characters and frequent changes. When a customer logs into his, her, or its account, Circle hashes the credentials of the user before it is stored. A Customer may also require its Users to add another layer of security to their account by using two-factor authentication (2FA).
11. Change Management. Circle has a change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. All changes, including the evaluation of the changes in a test environment, are documented using an auditable system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the CEO. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Services.
12. Encryption. For the Services, the databases that store Customer Data are encrypted using the Advanced Encryption Standard.
13. Vulnerability Management. Circle maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Circle uses a third-party tool and service providers to conduct vulnerability scans regularly to assess vulnerabilities in Circle’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. For high-risk patches, Circle will itself, or use third parties, to deploy directly to existing nodes through appropriate orchestration tools.
14. Penetration Testing. Circle will engage independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly.
15. Security Incident Management. Circle is developing security incident management policies and procedures. Circle will create or contract with a Security Incident Response Team (“SIRT”) charged with assessing all relevant security threats and vulnerabilities, and who will then establish appropriate remediation and mitigation actions. Circle will retain security logs for one hundred and eighty (180) days. Access to these security logs is limited to SIRT. Circle utilizes third-party tools to detect, mitigate, and prevent distributed denial of service attacks.
16. Discovery, Investigation, and Notification of a Security Incident. Circle will promptly investigate a security incident upon discovery. To the extent permitted by applicable law, Circle will notify Customer of a security incident in accordance with this Policy and/or any addendum to this Policy. If appropriate and permitted under applicable law, security incident notifications will be provided to Customer via email to the email address designated by Customer in its account.
17. Resilience and Service Continuity.
17.1. Resilience. The AWS hosting infrastructure for the Circle Services (a) spans multiple fault-independent availability zones in geographic regions physically separated from one another, and (b) is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup.
17.2. Service Continuity. Circle will also leverage specialized tools available within the hosting infrastructure for the Services to monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these specialized tools can increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Circle will be immediately notified in either such event.
18. Customer Data Backups. Circle performs regular backups of Customer Data, which is hosted on AWS’s data center infrastructure. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using the Advanced Encryption Standard.
