Pacer has implemented and will maintain appropriate administrative, technical, and physical safeguards to protect Customer Data as set forth below. Pacer may update these Security Measures from time to time. Pacer will notify Customer if Pacer updates the Security Measures in a manner that materially diminishes the administrative, technical, or physical security features described herein.
Services Security
Architecture.Pacer’s Services are designed with multiple layers of protection, covering data transfer, encryption, network configuration and application-level controls that are distributed across a scalable, secure infrastructure. End Users of the Licensed Services can access Pacer from web and mobile clients which connect to secure services to provide access to Customer Data. The Services can be utilized and accessed through several interfaces. Each has security settings and features that process and protect user data while ensuring ease of access.
Encryption. To protect Stored Data in transit between Pacer and Customer, Pacer uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption, or other cipher with at least equivalent key strength. Customer Data at rest is encrypted using 256-bit AES encryption, or cipher with at least equivalent key strength. Pacer’s key management infrastructure is designed with operational, technical, and procedural security controls with very limited direct access to keys.
Reliability.The Services have multiple layers of redundancy to guard against data loss and ensure availability.
Information Security.
Policies. Pacer has established a thorough set of security policies covering areas of information security, physical security, incident response, logical access, physical production access, change management and support. These policies are reviewed and approved by Pacer at least annually. Pacer employees are notified of updates to these policies and are provided security training as part of Pacer’s standard policies.
Personnel Policy and Access. Pacer internal policies require onboarding procedures that include background checks (to the extent allowed by local laws), security policy acknowledgement, communicating updates to security policy, and non-disclosure agreements. All personnel access is promptly removed when an employee or contractor leaves the company. Pacer employs technical access controls and internal policies to prohibit employees and contractors from arbitrarily accessing Customer Data. To protect the privacy and security of Pacer’s customers, only a small number of employees and contractors have access to the environment where Customer Data is stored. A record of access requests, justifications, and approvals are recorded by management and access is granted by appropriate individuals.
Network Security. Pacer maintains network security and monitoring techniques that are designed to provide multiple layers of protection and defense. Pacer employs industry-standard protection techniques, including firewalls, network security monitoring, and intrusion detection systems to ensure only eligible traffic is able to reach Pacer’s infrastructure.
Change Management. Pacer ensures that security-related changes have been authorized prior to implementation into the production environments. Source code changes are initiated by developers that would like to make an enhancement to systems that directly support the Services. Changes to Pacer’s infrastructure is restricted to authorized personnel only. Changes to the application level of the Licensed Services are required to go through automated quality assurance (“QA”) testing procedures to verify that security requirements are met. Successful completion of QA procedures leads to implementation of the change.
Compliance. Pacer, its data center providers, and its managed service provider undergo regular third-party security audits. Pacer will continue to participate in regular Service Organization Controls 2 (SOC 2) audits. Pacer also reviews SOC 1 and/or SOC 2 reports for all subservice organizations. In the event a SOC 1 and/or SOC 2 report is unavailable, Pacer performs security certifications to verify applicable physical, environmental, and operational security controls satisfy control criteria and contractual requirements. Pacer evaluates additional certifications and compliance attestations, as made available to Pacer by the subservice providers, on an ongoing basis.
Physical Security
Infrastructure. Physical access to subservice organization facilities where production systems reside are restricted to personnel authorized as required to perform their job function. Any individuals requiring additional access to production environment facilities are granted that access through explicit approval by appropriate management.
Office.Pacer maintains a physical security team that is responsible for enforcing physical security policy and overseeing the security of our corporate offices. Access to areas containing corporate services is restricted to authorized personnel via elevated roles granted through the badge access system.
Continued Evaluation. Pacer will conduct periodic reviews of its information security policies and procedures as measured against industry security standards and will continually evaluate whether additional or different security measure are required to respond to new security risks or findings generated by periodic reviews.