Legal and policy answers - Stylitics/guide GitHub Wiki

Describe How Client Data (Product Information) Will Be Stored And Protected.

Data will be stored in a PostgreSQL database hosted on Digital Ocean servers and backed up to Amazon S3.

Access control:

  • Digital Ocean servers
    • Product data
      • Method: SSH via keypair only. Database itself additionally protected by OS user / password authentication
      • Grantees: Stylitics Engineering team
  • Amazon S3
    • Product imagery is publicly readable due to the nature of the app
    • Product data
      • Method: Email / Password access to AWS console
      • Grantees: Rohan Deuskar (CEO, Stylitics) & Jeremy Raines (VP of Technology, Stylitics)
  • FTP server hosted by HostedFTP.com (Optional, per client requirements)
    • Only if FTP or SFTP is chosen by the client as the delivery method to Stylitics for product data
    • Data feed files
      • Deleted after ingestion by Stylitics
      • Method: Username and password authentication
      • Grantees:
        • Stylitics Engineering and Operations team members as needed
        • Client team members and/or any feed vendors who need access to deliver the feed

Data Retention

How Long Will Client Data Be Retained At The Third Party?

  • Until receipt of written request to delete or minimum 1 month after contract end date. How Will Client Data Be Ultimately Destroyed At The Third Party?
  • Deletion from primary and staging database management systems by manual SQL procedures
  • Deletion from S3 backups minimum 1 month subsequent to the above as backups are rotated
  • Stylitics does not currently have a policy for deleting product imagery from S3, but all Stylitics-hosted links to this would be removed from our public APIs upon termination of contract and/or written notice, within 24 hours

Backup And Recovery Controls And Procedures.

  • Hourly full backups to Amazon S3 and live staging server database
  • Full recovery from backup is tested weekly
  • Does Stylitics Use AWS For Storing Client Data?
    • Yes, in the form of
      • database backups
      • processed product imagery (per agreement & client instructions with respect to what type of processing -- typically consists of cropping images, removing backgrounds)

Does Stylitics Have A Current Regulatory Compliance Audit Or Assessment That Covers The Data?

  • No, not for Stylitics itself
  • See also Service/Infrastructure provider resources
    • AWS
    • Digital Ocean
  • Who Conducted The Audit Or Assessment?
    • N/A
  • What Is The Date Of Compliance? -N/A