top of page

Data Security Policy

​
Last revised: September 2024
​

This Data Security Policy is incorporated into and forms part of the Terms of Service (the “Agreement”) between Incredable and the person or entity placing a Scope of Services referencing the Agreement or accessing Incredable’s Services (“Customer” or “you”). 

 

Capitalized terms in this Addendum shall have the meanings outlined in this Data Security Policy. Capitalized terms used but not otherwise defined herein shall have the meanings given to them in the Agreement.

 

Incredable implements and maintains technical, administrative, and physical safeguards designed to protect the confidentiality, integrity, arability, and security of the Customer Data using the measures set forth below: 

 

  1. Technical Measures 

 

1.1 Credential Storage and Management with AWS Cognito

Incredable uses AWS Cognito, a highly secure and fully managed service, to handle user authentication, authorization, and user management. AWS Cognito is designed to provide secure and scalable identity management. It securely stores user credentials using strong cryptographic hashing algorithms. Passwords are hashed using industry-standard algorithms like bcrypt or scrypt, making them resistant to brute force attacks. All Customer Data are encrypted at rest and in transit using strong encryption protocols. Furthermore, AWS Cognito complies with several industry standards and certifications, such as GDPR, HIPAA, and ISO 27001, providing an additional layer of assurance regarding data protection.

 

[As Incredable relies on third-party services like AWS Cognito, despite our best efforts, any vulnerability or compromise in the underlying services could potentially impact the Incredable system.]

 

1.2 Data Backup 

A) Schedule and Frequency: All critical Customer Data are backed up daily during the scheduled maintenance window from 12:00 AM CST to 5:00 AM CST and will be stored in Amazon S3, using a secure, dedicated S3 bucket.

​

B) Backup Procedures: Automated scripts or scheduled jobs will handle the backup process, ensuring a consistent and reliable backup routine. Each backup will include all critical data necessary for business continuity, including databases, application data, and configuration files.

​

C) Backups will be retained for 30 days to provide a balance between recovery options and storage costs. After 30 days, older backups will be automatically deleted using S3 lifecycle policies to optimize storage usage and reduce costs.

 

1.3 Data Security

A) Encryption: All backups stored in S3 will be encrypted using AES-256 encryption to protect sensitive data at rest.

​

B) Access Control: Access to the backup data in S3 will be restricted to authorized personnel only. IAM policies will be applied to enforce the principle of least privilege.

​

C) Multi-Factor Authentication (MFA): Access to AWS accounts managing S3 backups will require MFA to ensure robust access control. 

 

1.4 Review and Updates

 This Data Security policy is subject to at least annual review or as needed to address changes in technology, business processes, or compliance requirements. Incredable may amend this policy from time to time. Please check the policy periodically for updates. The Customer’s continued access and use of Incredable is deemed to be acceptance of those changes.


 

2. Administrative Measures

 

2.1 Incredable Team

 Incredable requires an extensive interview and background screening process as part of its hiring process to the extent permitted by laws. All Incredable employees are required to sign confidentiality agreements. Incredable also provides ongoing training programs to reinforce security awareness. Employees at Incredable are required to report security incidents involving Customer Data.

 

2.2 Incredable’s Facility

 Incredable has the appropriate physical and environmental controls for its data center that administer its services. Access to the Incredable facility is controlled by building ingress points and requires an ID badge. All individuals’ access privileges are reviewed periodically. Ready Doc’s facility also utilizes monitor and alarm response devices, fire detection and protection systems, as well as climate control systems. 

 

3. Security Breach Response Plan 

Incredable shall notify Customer of any data breach as soon as practicable, after becoming aware of it. Such notification shall at a minimum describe the nature of the data breach, if known and the measures taken or proposed to be taken to address the data breach. Incredable will investigate, document, and restore its Services to the extent possible and undertake required response activities. Incredable will also provide regular status updates to the Client on such response activities.  For this Section 3, “data breach” shall mean any unauthorized or unlawful processing, losses, destruction, or damage of Customer Data. 

​

4. Deletion of Customer Data

4.1 Deletion by You

 Customer may delete any Customer Data as described in your Incredable account. For any questions or additional instructions, please send an email to: support@incredable.com

 

5. Customer’s Responsibilities 

The Customer is responsible for making appropriate use of Incredable’s Services to ensure a level of security appropriate to the particular content of Customer Data. Additionally, Customer is solely responsible for managing and protecting all its Authorized Users and Customer Data, including but not limited to, (i) ensuring that all Authorized Users Customer Data are confidential and do not share such data with unauthorized parties, (ii) promptly report to Incredable any suspicious activities related to its account, (iii) appropriately configure and assign Authorized User access, including its scope and duration, taking into account the nature of the Customer Data, and (iv) maintaining appropriate password uniqueness, length, complexity, and expiration. The Customer further agrees that it shall promptly update its software or mobile application whenever Incredable announces an update. 

 

By using Incredable’s Services or providing Customer Data to Incredable, you agree that Incredable may send out electronic notices regarding security, privacy, and administrative issues relating to the use of Services. To withdraw consent to receive electronic notice of a data breach, please email support@incredable.com.  

bottom of page