Information Security Policy

Version: September 6, 2022

This website is operated and maintained by AMZ Prep Canada (hereinafter referred to as AMZ Prep or the Company), a company registered in Canada and having its principal place of business at 9 Van der Graaf Crt, Brampton, ON, Canada L6T 5E5.

This electronic document, referred to henceforth as the Information Security Policy (the “Policy”) is  meant to provide a framework for managing security of the business information relevant to the website. It describes measures employed to protect the confidentiality, integrity and availability of business information stored, processed or transmitted by any hardware or software (collectively known as “Information Systems”) on the website.

1. Definitions

Website means this website.

Service means a feature offered by the Website.

We, Us or Our means the Company.

Individual means a natural human being.

Entity means any Individual or group of Individuals recognized by law and having legal rights and obligations.

Person means any Individual or Entity.

Bot means any mechanical, or computer hardware or software construct that can be programmed by a Person to perform one or more task.

Use means accessing any content on the Website, including, but not limited to accessing web pages on the website, viewing or downloading pictures that appear on web pages or otherwise, and downloading files from the website.

User, You or Your means a Person or Bot who Uses the website, including you.

Party means either you or us. Parties means both you and us.

Information System means any electronic system (hardware, software or a combination thereof) capable of storing, processing or transmitting information.

Information Security Manager means a Person designated by us as being responsible for the management, assurance and governance of all aspects related to the security of the Information Systems used for operating the Website. The Information Security Manager (or ISM in short) is also the owner of this document, ensuring that the content of this document are always current and in line the policies and procedures of the Company.

System Administrator means a Person designated by us as being responsible for regular operations, monitoring, maintenance, upkeep and upgrade of the Information Systems used for operating the Website.

1. Responsibilities of the Company

We are committed to the following:

Protecting access to all business information stored on the information systems or while it is being processed or transmitted, from unauthorized access, including from System Administrators having direct access to the Information Systems.
Putting appropriate measures in place to prevent unauthorized access to business information stored on the Information Systems by parties other than those designated by us.
Complying with all prevailing laws relating to information security in the regions we operate.
That we will not sell or otherwise distribute in any form the business information of the Users without their prior written consent, other than to comply with statutory requirements and requests from law-enforcement agencies.
Training all System Administrators on prevailing security best practices and statutory requirements.

2. Responsibilities of the Users

Users agree to the following:

By using any Service, Users agree to abide by all prevailing terms and conditions under which the Service being used is being offered.
That any action performed on the Website will be legally binding on the Users and on the legal entity they represent (if any).
That they will not disclose or share any information obtained on the Website as part of their day-to-day work to any unauthorized personnel or business entities.
That they will not share confidential information such as passwords with other Users.

3. Physical Security

The Website runs on computing infrastructure provided by a cloud hosting services provider. We are committed to making sure that the cloud hosting services provider chosen for the Website is dedicated to physical security of the Information Systems and protects the physical infrastructure from unauthorized access.

3.1. Secure Infrastructure

We ensure that our cloud hosting services provider maintains full physical security of the premises and the Information Security used for running the Website.

3.2. Standards Compliance

We only work with service providers that comply with global and national standards such as GDPR, NIST, CSA, ISO-9001, etc.

3.3. Independent Attestation

We ensure that our service providers are regularly assessed, audited and certified by competent, globally recognized third parties on a periodic basis. Further, we review accreditations and attestations of our service providers on a yearly basis.

4. Application Security
4.1. Design

We follow common security best practices and standards for the Website, including, but not limited to:

OWASP Top-10
Secure Authentication and Authorization
Role-Based Access Control (RBAC)
4.2. Validation

We undertake the following activities to ensure that the software for the Website is secure:

Half-yearly vulnerability and security scans
Continuous scanning of third-party open-source code used for the Website
4.3. Deployment

During deployment, we ensure the following to address potential security risks:

Multi-tier deployment with firewalls between tiers to allow only relevant network traffic
Secure access to Information Systems via a VPN or tunneling solution
Continuous scanning of Information Systems to detect anomalies in configuration or usage patterns

5. Data Security
5.1. Data on the Client

We follow the security best practices listed below for maintaining security of application data when it is loaded within a User’s web browser:

All Users must authenticate themselves to allow the Website to identify them uniquely.
Users can view their data only after authenticating themselves.
Users are allowed to access only those Services to which they have access.
5.2. Data in Transit

Privacy of data while they are in transit between the client and the servers hosting the Website is ensured by encrypted the data using industry-standard technologies.

Use of public-key cryptography with 2048-bit keys ensures that the data are safe while in transit. Further, use of only proven cryptographic protocols makes sure that attackers cannot exploit known weaknesses in encryption.

5.3. Data at Rest

Data stored on physical media are obfuscated using FIPS 140-2 compliant algorithms. Use of strong techniques like the AES algorithm for encryption and SHA-2 algorithm for hashing makes sure that obfuscation cannot be circumvented.

In addition to this, storage media are also encrypted for additional security. Data backups are also stored in private, encrypted storage to prevent leakage and misuse.

6. Reviews

We undertake the following reviews periodically to ensure safety and security of User Data:

This document is reviewed on a quarterly basis.
Personnel access to Information Systems is reviewed on a monthly basis. Any unwanted access to Information Systems is immediately revoked.
Data retention and disposal processes are reviewed on a quarterly basis.
Application logs are reviewed continuously to identify and address any potential misuse.

7. Approvals

Any changes to this document must be approved by the ISM in order for them to become effective.

8. Contact Information

Any questions or feedback related to this document may be directed to the ISM at infosec [at] amzprep.com.

9. Change Log
September 6, 2022: Added section on contact information.
September 2, 2022: Added sections on reviews and approvals.
September 1, 2022: Initial document version published.