We understand that data security is a critical issue for production companies and their workers. Our platform conforms to industry best practices and follows the same technology standards used by Netflix to the big banks.

Compliance

PIPEDA

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) regulates how organizations handle the personal information of Canadian residents and grants them certain rights regarding their personal information. Circus is committed to being compliant with PIPEDA. As a provider of enterprise design tools, As a provider of enterprise production management and payment tools, Circus is primarily a service provider under PIPEDA.

CCPA

The California Consumer Privacy Act (“CCPA”) regulates how organizations handle the personal information of Californian residents and gives them certain rights with respect to their personal information. Circus is committed to be compliant with the CCPA. As a provider of enterprise production management and payment tools, Circus is primarily a service provider under the CCPA.

DATA SECURITY

All of Circus’ services are hosted in Amazon Web Services (AWS) facilities in Canada and the United States, split by the target resident. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.

Data classification

Circus classifies the data they own, use, create, and maintain into the following categories:

• Confidential - Customer and personal data

• Internal - Circus-internal operational data that should not be disclosed

• Public - For example, the marketing material and content on this website

Encryption at rest

Circus uses the AWS-managed data store Amazon S3 to store customer data, including backups. All these AWS services have been configured to use encryption at rest and sensitive fields are further double-encrypted using AES with 256-bit SSL/TLS keys.

In additional Circus implements HTTP Strict Transport Security and a Content Security Policy. Non-essential ports are blocked, critical endpoints are rate-limited, and no financial data is stored. Passwords are hashed and salted, all client-side communications are validated server-side, and data is encrypted using AES-256. Documents are securely stored on Amazon S3, and all sensitive fields and account data are encrypted.

Secrets and encryption key management

Circus uses AWS Parameter Store for securely storing and managing secrets that are used by services. Circus uses AWS Key Management Service (KMS) to encrypt and decrypt these secrets as well as manage all encryption keys in use by Circus services. Access to secrets and encryption keys are restricted to the services on a least privilege basis and are managed by the Circus infrastructure team. Master access keys are never distributed to employees, nor are any access keys stored in version control systems or as plain text. Each employee is issued individual access keys with developer-only access.

Separation of environments

Circus fully separates and isolates their production, staging, and development networks and environments. Engineers only work with anonymized data.

Data loss or security breach

In the event of a data loss or potential security breach, customers will be immediately notified and kept informed in real-time as Circus assesses the situation. Circus will promptly implement all necessary measures to secure and recover your data. A comprehensive incident report will be provided by Circus if any incidents occur.

PRODUCT SECURITY

Secure development

Circus practices continuous delivery. We have processes and automation in place that allow us to safely and reliably roll out changes to our cloud infrastructure and web-based applications in a rapid fashion. We deploy new changes to production dozens of times a week.

• All code changes are requested through pull requests and are subjected to code reviews and approval prior to being merged to the master and production branches.

• Circus uses GitHub to automatically create pull requests to update outdated dependencies.

• Circus uses Sentry to track errors in the web and desktop applications.

• Circus uses SIEM technology for continuous monitoring and overview to our network and applications.

• Circus' security team works closely with the engineering teams to resolve any potential security concerns that may arise during design or development.
  
  

Source code

Circus ensures the highest standards of code security and performance by performing static code analysis on all production code, integrating and unit testing all critical systems, vetting all sub-dependencies, and bundling them directly into the Circus application. Additionally, we strictly comply with source code and open-source licensing requirements.

External security testing

In addition to our internal security scanning and testing program, Circus employs third-party firms to conduct extensive penetration tests of all application and cloud infrastructure on a regular basis. Findings from these penetration tests are prioritized, triaged, and remediated by the Circus security team. Copies of the reports are available to Enterprise customers upon request.

Machine-learning redaction

Circus uses advanced machine-learning to automatically redact all financial data on residency documentation uploaded by Workers, limiting risk to productions.

Infrastructure and network security

Transport security

Circus requires the use of TLS to secure the transport of data, both on the internal network between services as well as the public network between the Circus applications and the Circus cloud infrastructure. Circus' TLS configuration requires at least TLS version 1.2 and the use of strong cipher suites, which supports important security features such as Forward Secrecy.

External attack surface

Circus only exposes public (web) applications and APIs to the public internet. All other services are only available on the internal network, and accessible by employees using a VPN or single sign-on proxy. The external attack surface is monitored for changes by a third-party service.

Network segmentation

Network segmentation is a foundational aspect of Circus’ cloud security strategy. Circus achieves segmentation boundaries at various layers of their cloud infrastructure. Circus uses a multi-account strategy within AWS to isolate production, development, and test environments, but also domains such as logging, security, and marketing. Within AWS, Circus uses VPCs, security groups, network access control lists, and subnets to further isolate services.

Intrusion detection and prevention

Circus maintains an extensive centralized logging environment in which network, host, and application logs are collected at a central location. Circus has also enabled detailed audit trails with critical service providers like Google G Suite, GitHub, and AWS (CloudTrail). These logs and audit trails are analyzed by automated systems for security events, anomalous activity, and undesired behavior. These systems will generate events which are monitored around the clock by a security operations center (SOC).

ORGANIZATIONAL SECURITY

Security training

All new hires require security awareness training as part of their on-boarding and and all employees are required to attend the annual security awareness training. Circus engineers are required to attend an annual security training designed specifically for engineers.

Asset inventory

Circus maintains an accurate and up-to-date inventory of all its networks, services, servers, and employee devices. Access to Circus customer data is granted strictly on a need-to-know basis and adheres to the principle of least privilege. The security team diligently audits and monitors all customer data. Circus support and customer-facing employees receive access only after obtaining explicit approval from the respective customer. Furthermore, all Circus employees have signed a non-disclosure agreement to ensure the confidentiality of customer information.

Security incident management

The security team at Circus consolidates logs and audit trails from various sources into a central repository, utilizing advanced tools to analyze, monitor, and flag any anomalous or suspicious activity. Circus' internal processes outline the procedures for triaging, investigating, and, if necessary, escalating alerts. Both customers and non-customers are encouraged to report any potential security weaknesses or suspected incidents to Circus Security. In the event of a serious security incident, Circus possesses the expertise to thoroughly investigate and resolve the issue. If required, Circus can also access external subject matter experts.

Security incident management

Circus upholds a comprehensive set of information security policies that form the foundation of our information security program. All Circus employees are required to review these policies during their onboarding process. These policies cover various critical topics and are available to Enterprise customers upon request.

• Access control

• Change management

• Risk management

• Data classification and asset inventory management

• Incident response and management

• Network security

• Encryption and key management

• Human resources security

• Information transfer

• Secure development

• System monitoring and logging

• Vendor management

• Vulnerability management and malware protection

• Mobile device management and remote working

• Business continuity and disaster recovery

OPERATIONAL SECURITY

Backups and disaster recovery

All Circus customer data is stored redundantly across multiple AWS data centers (availability zones) to ensure high availability. Circus has well-tested backup and restoration procedures in place, enabling swift recovery in the event of single data center failures or disasters. Customer data is continuously backed up and securely stored off-site. Backup restoration processes are thoroughly tested every 30 days to ensure our procedures and tools function as expected.

Endpoint security

Circus exclusively utilizes Apple MacBook devices, all centrally managed through our internal mobile device management solution. This allows us to enforce robust security settings, including full disk encryption, network and application firewalls, automatic updates, screen timeouts, and anti-malware solutions. In the event that employee devices are lost or stolen, data on these devices can be remotely wiped to ensure security.

Risk management and assessment

Circus conducts periodic risk analyses and assessments to ensure that our information security policies and practices comply with relevant requirements and regulatory obligations.

ENTERPRISE SECURITY

Circus Enterprise includes all our general security measures, plus additional features and enhancements to provide even more customization and privacy.

Single sign-on (SSO)

Circus supports single sign-on (SSO) for Enterprise customers with identity providers like Okta. By using the customer’s existing identity management solution, Circus provides an easy and secure way for companies to manage their team members’ access.

Role-based access control (RBAC)

Circus supports role-based access control, which means the access of team members within an organization are dictated by their role. Administrators can assign team members specific roles or revoke access using the Circus workspace or production dashboard.

Security vulnerability disclosure

If you would like to disclose a potential security vulnerability or have security concerns about a Circus product, please reach out to security@cirushr.com. Please include a description of the security vulnerability, steps to reproduce, and the impact the vulnerability may have.