We at B2BWorks.com ("B2BWorks.com," "we," "us," "our") know that our users ("you," "your") care about how your personal information is used and shared, and we take your privacy seriously. Please read the following B2BWorks.com Privacy Policy (the "Privacy Policy"). By visiting or using the www.B2BWorks.com website or application, and any other linked pages, features, content, or any other services we offer from time to time in connection therewith (collectively, "B2BWorks.com"), you acknowledge that you accept the practices and policies outlined in this Privacy Policy, and you hereby consent that we will collect, use, and share your information in the following ways. This Privacy Policy only applies to products and services related to B2BWorks.com; other products and services provided by B2BWorks.com may be governed by separate privacy policies.
Virtual network resources are protected by Next Gen Firewall. Firewall deny access to unauthorized IP addresses. Public access to the database through the network is disabled and standard ports are closed.
Our application assigns a unique ID to each person with computer access to confidential data. Access rights are provided to employees based on their role within the company and are progressive, based on their responsibility. The list of people and services with access to confidential data are reviewed on a regular basis, and we routinely remove accounts that no longer require access.
Two-factor SMS based authentication is mandatory for login credentials that have access to confidential data as well as those who are able to create users that allow access to confidential data. We also enforce a policy of a single user account per session that immediately terminates any other active sessions for the logged in user.
Our application audits and analyzes all access events to detect any login anomalies using the methods described above. Granting confidential data access to a user account is restricted for only top level admins with special permissions to do so and that already have confidential data access. All new user accounts that are created have to go through an approval process that cannot be completed by the user who is creating the account. Additional approval process is required when granting access to confidential data similar to creating a new account. Accounts that have not been active for over 30 days are locked automatically. The use of generic, shared and default logins are prevented with the mandatory requirement of two-factor authentication, login credentials approval, single session per login. Our application enforces “account lockout” using multiple industry standard methods in addition to the mandatory two-factor authentication.
All data in transit must be accomplished over TLS/HTTPS. In the case we are working with legacy systems, we highly recommend converting to HTTPS, as we must enforce this security control on all applicable external endpoints used by customers as well as internal communication channels and operational tooling. Unsecured communication channels will be disabled.
Plans and Tooling will be in place to detect and handle security incidents, which identify the incident response roles and responsibilities, define incident types that may impact third-parties, define incident response procedures for defined incident types, and define an escalation path and procedures to escalate Security Incidents to respective parties. Such Plans and Tooling will be reviewed and verify the plan every 6 months. Data breaches require the client (customer), users, third-party APIs and all other parties to be notified within 24 hours.
All security events are handled by the designated role according to the procedures documented in our Incident Response Plan. Every incident is investigated, responded, remediated if necessary and documented. According to our Incident Response Plan, any incident that involves verified or suspected access to confidential data needs to be escalated immediately, the application to be locked down, and if the data belongs to a third-party for them to be notified by email within 24 hours. In incidents involving third-party data the full report will be provided to the owner of the data by request. We do not contact any regulatory authority on behalf of a third-party unless specifically requested to do so by them.
We will respond with data requests within 72 hours and you may ask for data to be permanently deleted, with written confirmation after it is completed.
All personally identifiable information is stored in an encrypted (AES-256, or RSA with 2048-bit key size). The cryptographic materials and cryptographic capabilities used for encryption are only accessible to our processes and services, and will never be shared. Data will never be persisted using removable media (e.g., USB) or unsecured public cloud applications (e.g., public links made available through Google Drive) unless we have received written consent from the client.
The cryptographic materials and cryptographic capabilities used for encryption are only accessible to our processes and services, and are never shared or accessible without authorization. We prevent direct access to our database that also includes confidential data so that it can never be saved to removable media or other methods that are used for persisting data outside of our encrypted and secured database. The entire process of retrieving the data from third party, persisting in our database and accessing it are entirely done securely using encryption at every stage through our application. Additionally, our application is designed to never display more than a single record of personally identifiable information so as to provide additional security against persisting bulk data using screenshots or saving web pages. The workstations used to access the data are also secured with group policy to restrict access to their onboard storage devices as well as removable media. The group policy also restricts the use of applications and websites except for those that have been deemed secure and mandatory to perform the tasks assigned to the employee. We monitor and log access to the workstations using security logs provided by the operating system.
Our application logs all security related events which includes our service API, storage-level API and administrative dashboard. The application actively monitors these logs to detect suspicious activity using rules that includes the detection of multiple unauthorized calls, unusual request rate, unusual data retrieval volume and the use of canary records. Any detected intrusion attempts if done using a known user account is immediately locked out along with the IP address. We also block any IP addresses that trigger the alarms immediately. All suspicious events that are detected trigger a notification that is immediately sent to system admins through SMS as well as email. Each notification must be reviewed and documented according to our incident response plan.
All configuration changes must be requested through a change request and receive a prior authorization before being performed. Only users with the top level access can be authorized to perform these configuration changes. These permissions are only granted during the requested time and are never performed without supervision. The changes performed, the user committing them, the user approving them and the user who is in charge of monitoring are also logged. No Personally identifiable information is ever stored in the logs or in any other location other than our database in an encrypted format. The access logs are protected using the server access control policy. They are not accessible without prior authorization. The access control policy also ensures against tampering by only granting read only access to them. All security events are audited by the server operating system and reviewed by the system admins. Per our policy we retain the logs up to 180 days but never less than 90 days. As added security, we only allow access to confidential data to whitelisted IP addresses.
The risk is evaluated by looking at over 30 different risk indicators, grouped into risk factors, as follows:
- Risky IP addressA cookie is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns. We use cookies to identify and track visitors, their usage of our website, and their website access preferences. We also use cookies to help us to improve the performance of our website to provide you with a better user experience.
We neither rent nor sell your Personal Information to anyone. We DO NOT share your Personal Information (in personally identifiable form) with third parties
We may release Personal Information when we believe in good faith that release is necessary to comply with the law or in response to any request from any law enforcement agency or other governmental organization; to enforce or apply our conditions of use and other agreements; or to protect the rights, property, or safety of B2BWorks.com, our employees, our users, or others. This includes exchanging Personal Information with other companies and organizations for fraud protection and credit risk reduction.
We may amend this Privacy Policy from time to time. Use of information we collect is subject to the Privacy Policy in effect at the time such information is used. If we make changes in the way we use Personal Information, we will post the changes to the B2BWorks.com website and/or send you an email prior to the change becoming effective.