Encryption and Key Management Policy
Cryptographic Key Requirements
Cashmere AI must use industry-approved strong algorithms for encryption processes for data-in-transit and data-at-rest.
Strong StandardsTransport Layer Security
Cashmere AI uses strong cryptography and security protocols (TLS 1.2+ or a minimally equivalent protocol) to safeguard sensitive data during transmission over open, public networks. Cashmere AI protects the integrity and confidentiality of data passing over public networks from fraudulent activity, contract dispute, and unauthorized disclosure and modification. Cashmere AI prohibits the transmission of unprotected sensitive data using insecure end-user messaging technologies.
Databases at Rest
Cashmere AI requires that the encryption of data-at-rest should only include strong encryption methods (AES-256 or a minimally equivalent protocol). Reference the following for guidance on encryption algorithms:
NIST Security Requirements for Cryptographic Modules (FIPS 140-3) and
NIST CMVP Approved Security Functions (S.P. 800-140C).
Key Management Keys must be protected to prevent unauthorized disclosure and subsequent fraudulent use,Users handling private keys must physically and logically secure them,Do not share keys with anyone else, andNever re-use keys to encrypt other information
Generating Keys To generate a key, users must use an industry-standard random key generating mechanism. Reference
OWASP Key Management Cheat Sheet for guidance.Keys should not be based on common words or phrases.
Key Rotation Encryption keys should be changed (or rotated) based on a number of different criteria: If the key is or may be compromised,For example, an ex-employee may have had access to a key. After a specified period of time has elapsed (known as the cryptoperiod),See
Section 5.3 of NIST Recommendation for Key Management for guidanceAfter the key has been used to encrypt a specific amount of data, andIf there is a significant change to the security provided by the algorithm (such as a new attack being announced)
Key Storage When available, the secure storage mechanisms provided by the operating system, framework or cloud service provider should be used. The key management system must ensure that all encryption keys are secured and there is limited access to Cashmere AI personnel. This may include: A physical Hardware Security Module (HSM),A virtual HSM, andKey vaults such as Amazon KMS or Azure Key Vault
Exceptions Cashmere AI business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Cashmere AI policy. If an exception is needed, Cashmere AI management will determine an acceptable alternative approach.
Enforcement Any violation of this policy or any other Cashmere AI policy or procedure may result in disciplinary action, up to and including termination of employment. Cashmere AI reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Cashmere AI does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work. Any employee or contractor who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Cashmere AI as soon as possible. The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security policies and procedures, and any other security breaches.
Information Security Policy
Information Security CommunicationPlease contact security@cashmereai.com if you have any questions about the Cashmere AI information security program.
People SecurityBackground CheckAll Cashmere AI personnel are required to complete a background check. An authorized member of Cashmere AI must review each background check in accordance with local laws.
ConfidentialityPrior to accessing sensitive information, personnel are required to sign an industry-standard confidentiality agreement protecting Cashmere AI confidential information.
Security Awareness TrainingCashmere AI has a security awareness training program in place to promote the understanding of security policies and procedures. All personnel are required to undergo training following initial employment and annually thereafter. Completion of the training program is logged by Cashmere AI.
Secure CodingCashmere AI promotes the understanding of secure coding to its engineers in order to improve the security and robustness of Cashmere AI products.
Physical SecurityClear DeskCashmere AI personnel are required to ensure that all sensitive information in hardcopy or electronic form is secure in their work area when it is unattended. This requirement extends to both remote and in-office work.
Cashmere AI personnel must remove hardcopies of sensitive information from desks and lock the information in a drawer when desks are unoccupied and at the end of the work day. Keys used to access sensitive information must not be left at an unattended desk.
Clear ScreenCashmere AI employees and contractors must be aware of their surroundings at all times and ensure that no unauthorized individuals have access to see or hear sensitive information. All mobile and desktop devices must be locked when unoccupied. Session time-outs and lockouts are enforced through technical controls for all systems containing covered information.
All devices containing sensitive information, including mobile devices, shall be configured to automatically lock after a period of inactivity (e.g. screen saver).
Remote WorkAny Cashmere AI issued devices used to access company applications, systems, infrastructure, or data must be used only by the authorized employee or contractor of such device.
Employees or contractors accessing the Cashmere AI network or other cloud-based networks or tools are required to use HTTPS/TLS 1.2+ at a minimum to protect data-in-transit.
If you are in a public space, ensure your sight lines are blocked and do not have customer conversations or other confidential conversations. If someone is close to you, assume they can see and hear everything. Connecting directly to a public wireless network that doesn't employ, at minimum, WPA-2 or an equivalent wireless protocol is prohibited
While working at home, employees and applicable contractors should be mindful when visitors (e.g. maintenance personnel) are at their residences, as visitors could become privy to sensitive information left up on computer screens.
System Access SecurityCashmere AI adheres to the principle of least privilege, specifying that team members will be given access to only the information and resources necessary to perform their job functions as determined by management or a designee. Requests for escalation of privileges or changes to privileges and access permissions are documented and require approval by an authorized manager. System access is revoked immediately upon termination or resignation.
Account AuditsAudits of access and privileges to sensitive Cashmere AI applications, infrastructure, systems, and data are performed regularly and reviewed by authorized personnel.
Password SecurityUnique accounts and passwords are required for all users. Passwords must be kept confidential and not shared with anyone. Where possible, all user and system accounts must invoke password complexity requirements specified in the Access Control and Termination Policy. All accounts must use unique passwords not shared with any other accounts.
Rotation RequirementsIf a password is suspected to be compromised, the password should be rotated immediately and the security team should be immediately notified.
Storing PasswordsPasswords must only be stored using a Cashmere AI approved password manager. Cashmere AI does not hard code passwords or embed credentials in static code.
Asset SecurityCashmere AI maintains a Configuration and Asset Management Policy designed to track and set configuration standards to protect Cashmere AI devices, networks, systems, and data. In compliance with such policy, Cashmere AI may provide team members laptops or other devices to perform their job duties effectively.
Data ManagementCashmere AI stores and disposes of sensitive data, in a manner that; reasonably safeguards the confidentiality of the data; protects against the unauthorized use or disclosure of the data; and renders the data secure or appropriately destroyed. Data entered into Cashmere AI applications must be validated where possible to ensure quality of information processed and to mitigate the impacts of web-based attacks on the systems.
Data ClassificationCashmere AI defines the handling and classification of data in the Data Classification Policy.
Data Retention and Disposal PolicyThe time periods for which Cashmere AI must retain customer data depends on the purpose for which it is used. Cashmere AI retains customer data as long as an account is active, as needed to provide services to the customer, or in accordance with the agreement(s) between Cashmere AI and the customer. An exemption to this policy would include if Cashmere AI is required by law to dispose of data earlier or keep data longer. Cashmere AI may retain and use customer data to comply with its legal obligations, resolve disputes, and enforce agreements.
Except as otherwise set forth in the Cashmere AI policies, Cashmere AI also disposes of customer data when requested by customers.
Cashmere AI maintains a sanitization process that is designed to prevent sensitive data from being exposed to unauthorized individuals. Cashmere AI hosting and service providers are responsible for ensuring the removal of data from disks allocated to Cashmere AI use before they are repurposed or destroyed.
Change and Development ManagementTo protect against unauthorized changes and the introduction of malicious code, Cashmere AI maintains a Change Management Policy with change management procedures that address the types of changes, required documentation, required review and/or approvals, and emergency changes. Changes to Cashmere AI production infrastructure, systems, and applications must be documented, tested, and approved before deployment.
Vulnerability and Patch ManagementCashmere AI uses a proactive vulnerability and patch management process that prioritizes and implements patches based on classification. Such classification may include whether the severity is security-related or based on other additional factors. Cashmere AI schedules third party penetration tests and/or performs internal assessments at least annually.
If you believe you have discovered a vulnerability, please email security@cashmereai.com and Cashmere AI will aim to address the vulnerability, if confirmed, as soon as possible.
Environment SeparationAs necessary, Cashmere AI maintains requirements and controls for the separation of development and production environments.
Source CodeCashmere AI controlled directories or repositories containing source code are secured from unauthorized access.
Logging and MonitoringCashmere AI collects & monitors audit logs and alerts on key events stemming from production systems, applications, databases, servers, message queues, load balancers, and critical services, as well as IAM user and admin activities. Cashmere AI manages logging solution(s) and/or SIEM tool(s) to collect event information of the aforementioned systems and activities. Cashmere AI implements filters, parameters, and alarms to trigger alerts on logging events that deviate from established system and activity baselines. Logs are securely stored and archived for a minimum of 1 year to assist with potential forensic efforts.
Logs are made available to relevant team members for troubleshooting, auditing, and capacity planning activities. System and user activity logs may be utilized to assess the causes of incidents and problems. Cashmere AI utilizes access control to prevent unauthorized access, deletion, or tampering of logging facilities and log information.
When events and alerts are generated from monitoring solutions and mechanisms, Cashmere AI correlates those events and alerts across all sources to identify root causes and formally declare incidents, as necessary, in accordance with the Security Incident Response Policy and Change Management Policy.
Additionally, Cashmere AI utilizes threat detection solution(s) to actively monitor and alert on network and application-based threats.
Business Continuity and Disaster Recovery Cashmere AI maintains a plan for continuous business operations if facilities, infrastructure or systems fail. The plan is tested, reviewed and updated at least annually.
Backup PolicyBackups are performed according to appropriate backup schedules to ensure critical systems, records, and configurations can be recovered in the event of a disaster or media failure.
Security Incident Response Cashmere AI maintains a plan that defines responsibilities, detection, and corrective actions during a security incident. The plan will be executed following the discovery of an incident such as system compromise, or unintended/unauthorized acquisition, access, use or release of non-public information. The plan is tested, reviewed and updated at least annually.
Cashmere AI utilizes various monitoring and surveillance tools to detect security threats and incidents. Early detection and response can mitigate damages and minimize further risk to Cashmere AI.
A message should be sent to security@cashmereai.com if you believe there may be a security incident or threat.
Risk ManagementCashmere AI requires a risk assessment to be performed at least annually. For risks identified during the process, Cashmere AI must classify the risks and develop action plans to mitigate discovered risks.
Vendor ManagementCashmere AI requires a vendor security assessment before third party products or services are used confirming the provider can maintain appropriate security and privacy controls. The review may include gathering applicable compliance audits (SOC 1, SOC 2, PCI DSS, HITRUST, ISO 27001, etc.) or other security compliance evidence. Agreements will be updated and amended as necessary when business, laws, and regulatory requirements change.
PrivacyPersonal Data
Cashmere AI personnel must treat personal data with appropriate security and handling and accommodate data subject requests, as required by applicable laws and regulations. No unauthorized personnel should have access to personal data.
ExceptionsCashmere AI business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Cashmere AI policy. If an exception is needed, Cashmere AI management will determine an acceptable alternative approach.
EnforcementAny violation of this policy or any other Cashmere AI policy or procedure may result in disciplinary action, up to and including termination of employment. Cashmere AI reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Cashmere AI does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.
Any employee or contractor who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Cashmere AI as soon as possible.
The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security policies and procedures, and any other security breaches.