PacerPro Security

About PacerPro

PacerPro is a SaaS (Software as a Service) that provides document search and storage for information retrieved from the PACER (pacer.gov) system. We integrate a variety of software and service providers together. As such, our security policy is an amalgam of both our own policy and procedures and those of our upstream vendors.

Platform

Our application servers are hosted by Heroku, a PaaS (Platform as a Service) provider. They provide physical facility, servers, data storage, and networking for us. Their security policy may be accessed on the Internet.

Data Practices

Access

Customers are permitted to view only their own data and no one else's. Site administrators may look at customer data for diagnostic purposes only. Access is controlled via password authentication. Administrative access is limited to designated individuals.

Encrypt Sensitive Data at Rest

All customer sensitive data, e.g. passwords, PACER credentials, and banking information, are encrypted and/or tokenized using industry standard encryption.

Encrypt Data in Transit

Our applications communicate over HTTPS and SSL at all times to protect sensitive data to and from customers.

Logging

We capture logs from our servers using the logentries service. Sensitive data are redacted automatically before storage. Old logs are purged automatically after 30 days.

Audits

We test our application thoroughly and continuosly before each release. These tests are automated so that every time there is a code change, the entire test suite is run. We include security tests in our code to prevent policy violations. We will not release anything into production until all tests are passing. In addition to testing, we run our code through a series of "static analysis" tools at Code Climate. These tools scan for security issues, which we address as they are detected. Finally we run a dynamic security scan using the (poorly named) Tin Foil Security service to identify any "well-known" security vulnerabilities.

Other Vendors

We use the following vendors, who have their own security policy and procedures.
Service Purpose Policies
Sendgrid in- and out-bound email Security policy