Client Related Policies for Ethicontrol Platform
Fair usage policy
Why do we have a Fair Usage Policy?
Ethicontrol SaaS product is a multi-tenant service. This means that SaaS services are used concurrently by a number of subscribers. If a single customer places very high demands on the service then it is possible that this will affect the experience for other users.
The vast majority of our customers use their service considerately and their usage levels during peak hours don’t disproportionately affect the shared network and service capacity. Even though only a very small number of our customers may use the service inappropriately, their activity has the potential to affect the service for others.
Our Fair Use Policy manages the inappropriate use and makes sure the service can be used fairly by everyone.
Support is typically provided free of charge as part of the Services we offer. To ensure that all customers have equal access to support, we may restrict or suspend access to support for any customer that consuming more support time, or logging more support issues than a typical customer with similar users and a similar subscription.
Within your SaaS environment you can store documents to record correspondence as well as data and transactions in the database. To make sure that there is enough storage for everyone, we may limit the amount of data you can save. By default it is 10 GB.
The amount of storage may depend on your type of contract and number of users. We've made sure that almost all customers have plenty of disk space when the solutions are used normally. You can always request the actual size of your data storage from our service desk. You can also free up more storage by removing data yourselves, or asking us to help you with our clean-up-service.
If we detect that your organisation structurally saves more data than we consider to be fair and normal, we'll contact you to discuss the situation. It's possible to expand your storage and, if appropriate we will only charge a maximum of the published and publicly available Microsoft Azure / AWS / Linode storage charge for the relevant storage solution plus 20%. At that point we'll contact you to discuss alternative storage options.
Network Traffic and Bandwidth
To prevent a negative effect of excessive network traffic on your user experience or that of others, we monitor the traffic. We compare your use to the average use of all our SaaS customers with the same contract. With normal use you don't have to worry about the network bandwidth available to you. If we detect a situation that could lead to a decrease in service, we will contact you to discuss the situation. In some situations, we can intervene by limiting the available bandwidth.
Amount of sent and received emails
To prevent spam, we use worldwide blacklists, and spam blockers among other things. To guarantee smooth email traffic from our SaaS products for you and our other customers, we monitor the mail servers.
Spam and blacklisting could happen when excessive amounts of emails are sent from the SaaS environments, for example. We maintain very broad margins based on the average use of our SaaS customers with similar contracts. With normal use, you won't notice a thing.
When we detect abnormal values that could negatively impact the service, we may limit the number of emails you can send, or take other action as appropriate. Before we do this, or in urgent situations immediately after doing so, we'll always contact you to discuss possible solutions.
Compute and Load
To prevent a negative effect of excessive use of compute resources, on your user experience or that of others, we monitor the compute resources.
We compare your use to the average use of all our SaaS customers with the same contract. With normal use you don't have to worry about the compute services available to you.
Where increased usage is caused by the normal growth of users and customers, we will scale the resources available. If we detect a situation that reflects abnormal use or that could lead to a decrease in service, we will contact you to discuss the situation. In some situations, we can intervene by limiting the available compute resource.
Urgent and Extreme Cases
In an urgent or extreme case, for example where services are likely to be significantly impacted, or where we believe your system or ours is under attack (a DDOS - denial of service attack for instance) or where we believe your system or ours has been compromised (for example a hacker or potential a security breach) we may stop the services, or temporarily block your access to them. Before we do this, or in urgent situations immediately after doing so, we'll always contact you to discuss possible solutions.
In some cases, even without an attack or breach, if your use of the services continues to impact other users, is expected to do so, or is generating costs to us that are not normal when compared to other customers on the same contract and make our service to you unprofitable to maintain, we may isolate your services from the multi-tenanted environments and pass the costs onto you. Before we do this, or in urgent situations immediately after doing so, we'll always contact you to discuss possible solutions.
Legal use only
The Customer shall not access, store, distribute or transmit any Viruses, or any material during the course of its use of the Services that:
(a) is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;
(b) facilitates illegal activity;
(c) in a manner that is otherwise illegal or causes damage or injury to any person or property; and Ethicontrol reserves the right, without liability or prejudice to its other rights to the Customer, to disable the Customer’s access to any material that breaches the provisions of this clause.
Ethicontrol shall fully co-operate with any law enforcement authorities or court order requesting or directing Ethicontrol to disclose the identity or locate anyone posting any material in breach of clause LEGAL USE clause.
Respect for intellectual property
The Customer shall not:
(a) except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties:
(i) and except to the extent expressly permitted under this Agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Services or Product Description (as applicable) in any form or media or by any means; or
(ii) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Services; or
(b) access all or any part of the Services and Product Description in order to build a product or service which competes with the Services and/or the Product Description; or
(c) use the Services and/or Product Description to provide services to third parties; or
(d) license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Product Description available to any third party, or
(e) attempt to obtain, or assist third parties in obtaining, access to the Services and/or Product Description.
Unauthorised use prevention
The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Product Description and, in the event of any such unauthorised access or use, promptly notify Ethicontrol.
The rights provided under this Service Agreement are granted to the Customer only, and shall not be considered granted to any subsidiary or holding company of the Customer. Only one subscription to the Services may be activated by any company, person or other entity. Duplicate subscriptions for any company, person or entity shall be considered a material breach of the Service Agreement.
The Customer undertakes to ensure that all Users comply with this Agreement and acknowledge that Customer shall remain responsible and liable for the acts or omissions of all Users to the same extent as if Customer had carried out such acts or omissions itself.
Responsibility for the security of any usernames and passwords issued (including those of any Users) rests with Customer. If Customer has reason to believe that their credentials or User account details have been obtained by another without consent, the Customer should contact Ethicontrol immediately to suspend the account.
Data Breach Notification Policy
This policy defines what qualifies as a breach of user data, what actions will be taken in the event of user data exposure or compromise, and the timeline for action.
This policy applies to user data stored on Ethicontrol.com. It does not apply to self-hosted / on-premises instances or instances hosted with other providers than Ethicontrol.com
Data Classification - What information is covered by this policy
This policy covers "private user data" stored by Ethicontrol.com, and includes:
- Client's database
- Client's files
- Encrypted Passwords
- Private Email Addresses
Note: Ethicontrol.com does not store any "personally identifiable information" (PII) such as (i) Private Addresses, (ii) Credit Card Numbers, (iii) Bank Account Information, (iv) ID numbers (e.g. passport, driver's license, social security, national identification, etc.). Ethicontrol.com and subdomains also does not store any "personal health information" (PHI). Therefore, laws and regulations relating to PII and PHI do not apply.
What qualifies as a breach?
A breach of user data is the unintended or accidental exposure of private user data. This can be caused by accidents, misconfigurations, or malicious actions performed by an external attacker or team member.
An event is considered a data breach when there is evidence that private user data has been exposed to the public or to an untrusted third party.
Trusted third parties may have authorized access to user data under a signed Non-Disclosure Agreement (NDA). Such trusted third parties include but are not limited to:
- Cloud service providers
- Database consultants
- Security auditors
- Financial auditors
Some examples of a user data breach would include:
- Compromise of a database server that contains private user data with evidence that an attacker may have had access to or copied the data off-site.
- Compromise of an application server account that has access to private user data and evidence that the attacker has downloaded or accessed private data.
- Theft of a device known to contain private user data.
- Web application attack used to download a list of all user emails and encrypted passwords.
What is not considered a breach?
Examples of security incidents that would not be considered a breach of private user data:
- Compromise of an application server that does not contain or have access to private user data.
- Compromise of a team member application account that does not have access to private user data.
- Malware infection on a server or team member computer system that does not contain private user data.
- Compromise of non-sensitive user data such as login IP addresses, login history, project permissions.
- Unintentional disclosure of project names, group names, issue titles, or project or user metadata unless this data can cause damage to the user or their business.
- Discovery of a vulnerability that could have been used to compromise private data, but for which there is no evidence of exploitation.
- Theft of a team member's mobile device that does not contain private user data.
- Theft of a team member's private keys, tokens, or other credentials provided there is no evidence they were used to access private user data.
You can check out these common non-vulnerabilities that will not be considered as a breach.
Who will be notified in the event of a data breach
If Ethicontrol has detected evidence of a breach of Ethicontrol.com or Ethicontrol Hosted private user data, all affected users will be notified via the configured email address for their accounts. Emails will contain information on what data was exposed or compromised, when, and for how long (to the extent this information is available).
For a breach that exposes private data for a large number of users, the public will also be informed via the configured email addresses for their accounts, and additional means of communication will be considered (e.g. press release, the blog, etc.) on a case by case basis.
Ethicontrol will endeavor to notify users within 24 hours of breach discovery. This may be delayed when necessary to comply with requests by law enforcement.
Report security issue
We know how much work goes in to pen testing!
To avoid frustration, you can check out these common non-vulnerabilities that don't qualify for rewards.
Got a valid issue? Awesome! Please include:
- A summary of the problem
- A severity rating of 1 — 5 (1 being least severe, 5 being most ie. you can easily hijack, impersonate or access any other account or data)
- A PoC or breakdown of how to replicate the issue
- The operating system name and version as well as the web browsers name and version that you used to replicate the issue
Send to security (at) ethicontrol.com
We're eternally grateful for all of those who put in hard work to identify weaknesses within Ethicontrol.
For reports that are not common non-vulnerabilities, we like to reward those who responsibly disclose vulnerabilities with an acknowledgement, swag or bounty money.
Whisky and biscuits can be also provided during one to one meeting.
We appreciate the work that goes into finding and disclosing security flaws in Ethicontrol and would like to thank the following individuals and organisations:
System requirements for users
Web intake users
- Computer and processor 1 gigahertz (GHz) or faster
- Memory 2 GB RAM
- Hard disk 3 GB available disk space
- Display - any screen resolution
- Operating system - for the best experience, use the latest version of any operating system.
- Browser - any
Incident and case management users
Computer and processor 1 gigahertz (GHz) or faster x86-bit or x64-bit processor with SSE2 instruction set
Memory 4 GB RAM
Hard disk 3 GB available disk space
Display - for the better experience use displays with resolution starting from 768 px width (medium sized tablets and bigger)
Operating system - any
- Chrome 21+ (recommended)
- Firefox 28+
- Edge 12+
- Safari 7+
- Opera 17+
- Android 6.0+
Internet Explorer in NOT supported.