Data Security & Privacy

Protecting chain-of-custody integrity through robust security controls

Security Overview

PFAS Registrar implements comprehensive security controls to protect the integrity and confidentiality of chain-of-custody data. Our security program is designed to meet the stringent requirements of environmental compliance documentation while ensuring data privacy and regulatory alignment.

Encryption Standards

Data at Rest

  • AES-256 Encryption: All database records encrypted using industry-standard AES-256 algorithm
  • Encrypted Backups: Database backups encrypted before storage using the same AES-256 standard
  • Key Management: Encryption keys managed through secure key management system with rotation policies
  • Encrypted Storage: Document attachments (PDFs, images) encrypted at rest in secure object storage

Data in Transit

  • TLS 1.3: All data transmission protected using Transport Layer Security 1.3
  • HTTPS Only: Strict HTTPS enforcement across all application endpoints
  • Certificate Pinning: SSL/TLS certificate validation for API communications
  • Secure APIs: All API endpoints require encrypted connections

Access Controls

Authentication

  • Multi-Factor Authentication (MFA): Required for all administrative and staff accounts
  • Password Requirements: Minimum 12 characters with complexity requirements
  • Session Management: Secure session tokens with automatic timeout after inactivity
  • Password Hashing: Industry-standard bcrypt hashing for stored credentials

Authorization

  • Role-Based Access Control (RBAC): Granular permissions based on job function
  • Principle of Least Privilege: Users granted minimum access necessary for their role
  • Audit Logging: All data access and modifications logged with timestamps and user attribution
  • Client Data Isolation: Strict logical separation between customer datasets

Data Integrity & Custody Log Protection

Chain-of-custody integrity is critical for environmental compliance. We implement the following controls:

  • Immutable Audit Trail: Chain-of-custody events recorded in append-only logs preventing tampering
  • Cryptographic Hashing: Each custody event signed with SHA-256 hash to detect unauthorized modifications
  • Timestamp Integrity: Server-side timestamps synchronized with NIST time servers
  • Digital Signatures: Critical documents digitally signed by authorized personnel
  • Barcode Verification: QR code and barcode integrity validated at each custody transfer

Infrastructure Security

Application Security

  • Web Application Firewall (WAF): Protection against OWASP Top 10 vulnerabilities
  • DDoS Protection: Distributed denial-of-service mitigation
  • Security Headers: HSTS, CSP, X-Frame-Options, and other security headers enforced
  • Input Validation: Comprehensive validation and sanitization of all user inputs

Network Security

  • Network Segmentation: Logical separation of application, database, and management networks
  • Firewall Rules: Strict firewall policies limiting inbound/outbound traffic
  • Intrusion Detection: Real-time monitoring for suspicious network activity
  • VPN Access: Secure VPN required for administrative access

Security Testing & Monitoring

Vulnerability Management

  • Annual Penetration Testing: Third-party penetration tests conducted annually
  • Vulnerability Scanning: Automated weekly scanning for known vulnerabilities
  • Dependency Monitoring: Continuous monitoring of software dependencies for security updates
  • Code Review: Security-focused code review for all changes

Security Monitoring

  • 24/7 Monitoring: Continuous security event monitoring and alerting
  • Log Aggregation: Centralized logging for security event correlation
  • Anomaly Detection: Machine learning-based detection of unusual access patterns
  • Incident Response Plan: Documented procedures for security incident handling

Data Retention & Disposal

Retention Policies

  • Active Records: Chain-of-custody records maintained for duration of client relationship
  • Regulatory Retention: Environmental compliance records retained per EPA and state requirements (typically 3-7 years)
  • Audit Logs: Security and access logs retained for 2 years minimum
  • Backup Retention: Encrypted backups retained for 90 days with daily incremental backups

Secure Disposal

  • Data Deletion: Cryptographic erasure of encryption keys renders data unrecoverable
  • Media Sanitization: Physical media destroyed using DOD 5220.22-M standards
  • Deletion Verification: Documented verification of successful data destruction
  • Certificate of Destruction: Available upon request for compliance purposes

Compliance & Certifications

Current Status

  • SOC 2 Type II Audit: In progress (expected completion Q3 2025)
  • GDPR Alignment: Data processing practices aligned with GDPR principles
  • CCPA Compliance: California Consumer Privacy Act compliance for applicable data
  • NIST Framework: Security controls mapped to NIST Cybersecurity Framework

Planned Certifications

  • SOC 2 Type II certification (Q3 2025)
  • ISO 27001 Information Security Management (2026 roadmap)

Third-Party Security

We carefully evaluate the security posture of all third-party service providers:

  • Vendor Assessment: Security questionnaires and assessments for all vendors with data access
  • Subprocessor Agreements: Data processing agreements (DPAs) with all subprocessors
  • Laboratory Partners: Accredited laboratories required to maintain appropriate data security
  • Cloud Infrastructure: Industry-leading cloud providers with SOC 2 and ISO 27001 certifications

Business Continuity & Disaster Recovery

Backup & Recovery

  • Automated Backups: Daily full backups with hourly incremental backups
  • Geographic Redundancy: Backups replicated to geographically separate data centers
  • Recovery Time Objective (RTO): 4 hours for critical systems
  • Recovery Point Objective (RPO): 1 hour maximum data loss
  • Disaster Recovery Testing: Quarterly DR drills to validate recovery procedures

Employee Security

  • Background Checks: Criminal background checks for all employees with system access
  • Security Training: Annual security awareness training for all staff
  • Confidentiality Agreements: All employees and contractors sign NDAs
  • Access Revocation: Immediate deactivation of access upon employment termination

Security Incident Response

In the event of a security incident, we follow a documented incident response plan:

  1. Detection: Automated monitoring and alerting systems detect potential incidents
  2. Containment: Immediate isolation of affected systems to prevent spread
  3. Investigation: Forensic analysis to determine scope and impact
  4. Notification: Affected customers notified within 72 hours per regulatory requirements
  5. Remediation: Root cause analysis and implementation of corrective measures
  6. Documentation: Comprehensive incident reports for compliance and improvement

Questions or Concerns

For questions about our data security practices or to report a potential security issue:

Security Team: security@pfasregistrar.com

General Inquiries: hello@pfasregistrar.com

Response Time: Security inquiries addressed within 24 business hours

Responsible Disclosure: We maintain a responsible disclosure policy for security researchers. Contact our security team for details on our bug bounty program.

Last Updated

This data security policy was last reviewed and updated on January 2025.

We review and update security practices continuously and update this document quarterly or as significant changes occur.