Both the public side and the back-end of ASAP are secure.
We use the highest level of encryption on both sites. The public encryption begins when your customers try to login or create an account. All of their demographic information, shop cart information and payment information is entirely secure using standard 2048 bit / SHA256 or higher encryption. The entire back end of ASAP where you run reports, enter demographics, retrieve information and build your schedules is entirely secure using the same 2048 bit / SHA256or higher encryption. In addition, all the data in the database is behind a secure firewall that is monitored and only accessed by authorized personnel who are all employees of ASAP and under strict confidentiality agreements. Your public site is secure over the entire experience once the customer arrives on the site. The URL will change from http to https. The "s" shows that the site is secure, which is often signified on browsers with a small lock image.
The security and encryption used is Symmetric Encryption, implemented within the .NET framework. We also have other methods implemented including various other tools (e.g. TLS 1.2) and cipher keys which we can discuss with you if necessary.
NOTE regarding security and the Saved Credit Card feature: If ASAP stores credit card information based on Preference Settings or the use of ASAP Recurring Billing, that card information is encrypted within the ASAP database according to PCI guidelines (https://www.pcisecuritystandards.org/index.php). At no time is the card information viewable by a customer, ASAP user or member of ASAP's staff. Only limited information needed to identify a card is available such as last four digits, type and expiration date. ASAP takes data security and card processing requirements very seriously. ASAP maintains PCI-DSS compliance at all times and is a registered Service Provider with both Visa and MasterCard.
ASAP Security and Backup Summary
The ASAP database resides in the scalable cloud database service Azure SQL Managed Instance. SQL MI preserves all PaaS capabilities such as automatic patching and version updates, data protected with automated backups, built-in high availability, hybrid disaster recovery with failover between SQL Managed Instance and SQL Server, user-initiated backups that can be restored to SQL Server, customer configurable backup retention period and point-in-time database restore capability.
ASAP is also a registered Service Provider with both Visa and MasterCard. ASA and our websites are PCI-DSS compliant and our systems are scanned, at a minimum, on a quarterly basis by a third-party organization to ensure they meet the PCI-DSS standards. You may request a copy of our most current PCI Certificate and/or AOC by contacting firstname.lastname@example.org. All employees of ASAP sign strict confidentiality agreements and security policy agreements upon hiring. Only employees who need access to the servers are allowed to do so. Access to the servers is restricted by IP address as well and we have up-to-date firewalls and anti-virus software in place on all servers and the domains.
Databases in Azure SQL Managed Instance use SQL Server engine technology to back up and restore data.
Azure SQL Managed Instance creates: Full backups every week, Differential backups every 12 to 24 hours and Transaction log backups every 10 minutes.
Point-in-time restore (PITR) allows short-term backup retention of 30 days.
Long-term retention policies enable you to keep weekly full backups for up to 4 years.
By default, Azure SQL Managed Instance stores data in geo-redundant storage blobs that are replicated to a paired region. Geo-redundancy helps protect against outages that affect backup storage in the primary region. It also allows us to restore instances to a different region in the event of a disaster.
This is part of the ASAP Disaster Recovery Plan, which is reviewed by management, at a minimum, on a yearly basis.
ASAP carries both regular business liability insurance coverage as well as E&O cyber-liability insurance coverage that covers our services provided to clients in processing monetary transactions and holding personal private information.
Please contact email@example.com for more information.