Mellow Data Protection & Handling Policy
- Mellow-Home Mellow-Home developers deny access to unauthorized IP addresses by enabling AES-256 encryption and network firewall. All public access is denied.
- Mellow-Home Each month, we review a single list of authorized people and services that have access to customer information and remove accounts that no longer need access
- Mellow-Home developer employees are restricted from storing customer data on personal devices
- Mellow-Home developers detect unusual usage patterns and detect login attempts to maintain and enforce “account lockouts” and disable accounts that have access to customer information as needed.
- Mellow-Home developers enforce HTTPS encryption for all customer information transferred within the network or between hosts.
- Mellow-Home developers enforce this security control on all applicable external endpoints used in internal communication channels, including, but not limited to, data propagation channels between storage tier nodes, connections to external dependencies, and operational tools.
- Mellow-Home developers disable communication channels that do not provide encryption in transit, even if they are not used, such as removing the associated dead code, configuring dependencies only with encrypted channels, restricting access credentials to the use of encrypted channels, etc.
- Mellow-Home developers use the AWS Encryption SDK, where channel encryption like TLS is terminated on untrusted multi-tenant hardware like untrusted proxies.
Data Retention and Recovery:
- Mellow-Home developers only keep PII when necessary to fulfill the order, but do not calculate/transmit taxes or within 30 days of delivery of the order. If the Mellow-Homedeveloper is required by law to keep an archived copy of PII for tax or similar regulatory purposes, this archived customer information will be stored "cold" or offline and may not be used immediately or interactively. All backups are stored in a physically secure facility, and all data stored on the backup media is encrypted. If PII is lost, Mellow-Home can recover all lost PII.
- Mellow-Home Developers create, document and comply with the Mellow-Home Privacy and Data Processing Policy for applications or services governing the appropriate behavior and technical controls applicable to managing and protecting information assets.
- Mellow-Home developers maintain and regularly update an inventory of software and physical assets such as computers and mobile devices that have access to PII. Records of data processing activities such as collection, processing, storage, use, sharing and disposal methods for specific data fields and all PII information are maintained to establish accountability and compliance.
Encryption and Storage:
- Mellow-Home developers use AES-256 to encrypt all unused PII, including, but not limited to, data persistence using industry best practice standards. All cryptographic materials including, but not limited to, a daemon that implements encryption/decryption keys and encryption functions, a virtual trusted platform module, and a daemon that provides encryption/decryption APIs used for unused PII encryption, are processes and services of Mellow-Home developers. Can only be accessed.
- Mellow-Home developers do not store PII on removable media, including but not limited to USB, public unsecured cloud applications and/or public links provided through Google Drive.
- Mellow-Home developers safely dispose of printed documents containing PII.
Least Privilege Principle:
- Mellow-Home developers implement a fine-grained access control mechanism to empower all parties using the application. This includes, but is not limited to, access to specific data sets, allowing application operators to access certain configuration and maintenance APIs (e.g. kill switches). Switch according to the principle of least privilege. Application sections or functions that provide PII are protected by a unique access role and access is granted only on a "need to know" basis.
Logging and Monitoring:
- Mellow-Home developers collect logs to detect security-related events including, but not limited to, access and authorization, intrusion attempts, or changes to application and system configurations.
- Mellow-Home developers are applying this logging mechanism to all channels, including, but not limited to, service APIs, storage layer APIs, or management dashboards that provide access to customer information. All logs are subject to access controls to prevent unauthorized access and tampering throughout their entire lifecycle. The log itself does not contain PII and is kept for at least 90 days for reference in case of a security incident.
- Mellow-Home developers have mechanisms to monitor logs and all system activity to trigger investigation alerts for suspicious activity, including, but not limited to, multiple unauthorized calls, unexpected request rates and data retrieval volumes, and access to canary data records. Are being implemented.
- Mellow-Home developers conduct investigations when monitoring alarms are triggered. This event is documented in the developer's Incident Response Plan.
- Mellow-Home Developers must maintain all appropriate books and records reasonably necessary to verify compliance with the Service Usage Policy, Data Protection Policy and all customers Agreement during the term of the Agreement and for the 12 months thereafter.
- Upon Customer's written request, Developers must certify in writing to Customer that they are in compliance with these policies.
- Mellow-Home Developers work with customers or customers auditors and all other customers regarding any audits that may occur at Mellow-Home Developer's facilities and/or subcontractor facilities. If an audit turns out to be a defect, breach, and/or non-compliance with customer's or customer's auditors' terms and conditions or policies, Mellow-Home will take all steps necessary to resolve such deficiencies within an agreed upon period at its sole expense and expense.