Cybersecurity Policy Statement
Carmmunity, Inc. (“us”, “we”, or “our”) operates http://www.carmmunity.io and is hosting a MNVest portal on https://siliconprairie.online (the “Platform”). This page informs you of our policies regarding the collection, use and disclosure of Personally Identifiable Information (“PII”) we receive from users of the Platform as well as our cybersecurity policies and procedures with respect to data breach and notifications. For policies regarding Silicon Prairie, please refer to their page at https://sppx.io/cyber
Information Collection and Use
We use your personal information only for providing the services offered and improving the platform. By using the platform, you agree to the collection and use of information in accordance with this policy. While using the platform, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:
- Your name & email address
- Addresses & phone numbers
- Drivers License number & image
- SSN (if you are an issuer or investor)
Privacy & Security
The privacy & security of your personal information is important to us. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. You have a right to request a copy of all PII that we maintain on your behalf and to amend or correct the PII, as well as the right to have your account disabled. We have certain regulatory obligations to maintain investor records for a period of time up to and including seven (7) years or as directed by local, state and federal authorities.
Between Carmmunity and Silicon Prairie, we use a combination of administrative, preventative and detective controls to assure our platform and our users’ data is secured against cybersecurity attacks to maintain confidentiality, integrity and availability. All hardware for the portal is owned and managed by portal staff directly and data center company staff do not have administrative access. Carmmunity’s web server is hosted and any data used on this site is available to Carmmunity’s administrative staff and the web host.
We follow industry best practices with regard to our data center deployments, including but not limited to:
- Distributed Denial of Service (“DDOS”) protection
- Web application & network firewalls
- Network segmentation (“DMZ”)
- Protocol breaks and inspection
- All web traffic uses Secure Socket Layers (“SSL”)
- Two-Factor Authentication (“2FA”) required for administrative access
Our portal software is built upon a fine-grained role based access control system (“RBAC”) to assure that there is a segregation between regular users, vetted investors, issuers, and partners.
The system implements an anti-automation mechanism to prevent against sophisticated “robo-attacks” on user accounts as well as a failed login lockout mechanism that blocks a user from logging in after seven attempts. Administrative staff is notified automatically via email when a user or host is blocked.
Security Monitoring and Incident Response
We leverage network and endpoint-based controls to facilitate security logging and monitoring of user activities, exceptions, faults, and events in accordance with business, legal, and regulatory requirements. Collected logs and associated analysis are appropriately archived, protected from unauthorized access, and regularly reviewed.
We have established and maintain an incident response process and where required, reporting processes for disclosures of PII in the event of data loss or a data breach. If we have reason to believe that a user’s data was compromised we will:
- Notify them in writing at the last known address on file, or
- Notify them by email if that is their preferred method of contact
- Notify all recognized consumer reporting agencies in the event the breach exceeds 500 records
All notifications will be in within 48 hours of discovery unless otherwise requested by law enforcement. We will also notify respective state administrators according to their individual disclosure requirements. In Minnesota it is pursuant to section 325E.61
We encourage reporting from our employees, investors, issuers and others of any and all suspicious activities to [email protected]
Changes to This Policy