Nightlife venues all over the world entrust Vēmos with their data, and we make it a priority to take our clients’ security and privacy concerns seriously. We do our best to keep client data secure and only collect as much data as required to provide our services to our clients in the most effective manner possible.
Vēmos uses some of the most advanced security technology for the internet that is commercially available today. This security statement is geared towards being transparent about our infrastructure and practices in order to reassure you that your data is appropriately protected.
Application and User Security
SSL/TLS Encryption: Users can only collect and transmit information over secured, encrypted SSL/TLS connections. This ensures that data in transit is safe, secure, and available only to its intended audience.
User Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. Vēmos issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
User Passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.
Data Encryption: Certain sensitive user data, such as Point-of-Sale transactions, guest profiles, credit card details and account passwords, is stored in encrypted format.
Data Portability: Vēmos enables you to export your data from our system in a variety of formats so that you can back it up, or use it with other applications.
Privacy: We have a comprehensive privacy policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.
Physical Security
Data center access limited to AWS data center technicians
Biometric scanning for controlled data center access
Security camera monitoring at all data center locations
24×7 onsite staff provides additional protection against unauthorized entry
Unmarked facilities to help maintain low profile
Physical security audited by an independent firm
Availability
Connectivity: Fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.
Power: Servers have redundant internal and external power supplies. Data center has backup power supplies, and is able to draw power from the multiple substations on the grid, several diesel generators, and backup batteries.
Uptime: Continuous uptime monitoring, with immediate escalation to Vēmos staff for any downtime.
Failover: Our database is log-shipped to standby servers and can failover in less than an hour.
Network Security
Uptime: Continuous uptime monitoring, with immediate escalation to Vēmos staff for any downtime.
Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.
Firewall: Firewall restricts access to all ports except 80 (http) and 443 (https).Patching: Latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
Access Control: Secure VPN, multifactor authentication, and role-based access is enforced for systems management by authorized engineering staff.
Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.
Storage Security
Backup Frequency: Backups occur hourly internally, and daily to a centralized backup system for storage in multiple geographically disparate sites.
Production Redundancy: Data stored on a RAID 10 array. O/S stored on a RAID 1 array.
Organizational & Administrative Security
Employee Screening: We perform background screening on all employees.
Training: We provide security and technology use training for employees.
Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.
Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.
Audit Logging: We maintain and monitor audit logs on our services and systems (our logging systems generate gigabytes of log files each day).
Information Security Policies: We maintain internal information security policies, including incident response plans, and regularly review and update them.
Software Development Practices
Stack: We code in Angular/Node and run on ElasticSearch, and Firebase.
Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines to ensure secure coding.
Handling of Security Breaches
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Vēmos learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.
Your Responsibilities
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any data you download to your own computer away from prying eyes. We offer SSL to secure the transmission of data.
Last updated: January 17, 2018
