The following is a policy document from Socialtext regarding operations and security practices for hosted data.

Privacy

Socialtext treats the privacy of its customer data with highest priority.

SSL is a standard option. For customers that request it, all data communications with our servers are encrypted using SSL.

As a matter of policy, all customer data is treated as confidential, and routine systems administrations tasks do not expose customer data to employees.

We use system transaction data to do capacity planning, load balancing, and systematic improvements to Socialtext hosted service. We review log files to determine usage patterns.

In our development roadmap, but not yet implemented, is a plan to use encryption for on-disk storage of data to further minimize the risk that routine systems maintenance exposes customer information to systems administrators.

Security

All Socialtext data servers are run in facilities with 24x7 engineering support, key-controlled access, in hardened data centers with power conditioning, as well as backup power and HVAC.

Socialtext takes proactive steps to ensure the systems integrity of its running servers. Socialtext carefully monitors security alert services including those run by SANS and regularly applies required patches and upgrades.

All systems administration of the Socialtext servers is done through secured, encrypted communications (SSH). The number of employees with access to machines housing customer data is kept to a minimum.

All activity that affects customer data is logged, and those logs are periodically reviewed and scanned for anomalous behavior.

Backups and data integrity

All Socialtext customer data is backed up nightly to off-site, geographically distributed secured data storage centers, where the data is available for restoration 24x7. The backup path is run over an encrypted link, and access to the backup data is strictly controlled.

Should a customer require it, we have a procedure for removing all extant backups of a workspace.

All Socialtext customer data is housed on RAID arrays, which means that the failure of any one disk drive does not impact online operations and can be replaced without extensive downtime.

Business continuity

Socialtext has a business continuity plan, including:

• restoration of data and services in the case of disaster
• geographically distributed backup of customer data and source code
• use of outsourced commodity systems services, including including domain name administration, electronic mail service, instant messaging services, and customer contact services that are easily replaceable with competitive services.
• use of industry standard tools and systems, including operating systems and programming languages, where there is a broad industry-wide level of skill and experience available
• key operations processes and procedures are documented and stored in geographically distributed locations. In the event of an incident that affected key Socialtext personnel, core operations practices and procedures are written down, and those procedures are adequate to ensure continuity until those personnel can be replaced.
• training for key operations processes is conducted, and such processes are staffed to avoid single points of failure

The core Socialtext system is based on Socialtext Open, an open source product. Customers will be able to migrate to an open source version if necessary or desired. This reduces the risk to customers in case of interruption to Socialtext operations.