Security Commitment

Last updated : February 28, 2022

Last revision : 

 

This Document is will be effective from Tuesday 1st March 2022

To see prior version, please click here.

POPIT SNACK PLATFORM DOCUMENT COMMITMENT OF SECURITY

Our Commitment for Security Insurance

The purpose of the Commitment to Security Statement is to provide PopIt Snack Platform users and prospective clients with an objective description of the system’s boundaries and these security commitments.

These goals form the confidentiality, integrity, availability (CIA) triad, the basis of all security programs, measures try to address at least one of three goals:

  1. Protect the confidentiality of data
  2. Preserve the integrity of data
  3. Promote the availability of data for authorized use

 

Our Basis Policy on Information Security

PT. Mandiri Tunggal Sejahtera / MTS Group Holding, LLC. (as “Company“, “We“, “Our“, “Us“) is deeply aware of the importance of protecting the information assets of customers and other parties. We handle and formulate an information security policy that acts as a foundation for building an information security management system which provides a mechanism to achieve this objective. All personnel engaged in its operations comply with the regulations on this information security management system. The regulations are enforced and maintained and their operation status is audited in an effort to continuously improve the system.

  • Commitment to Information Security

With an understanding that ensuring information security is one of the most critical tasks of management, as well as a corporate social responsibility, the Company will ensure that every person engaged in its operations will be committed to it.

  • Information Security Policy

To build an information security management system aimed at protecting information assets, the Company will set out an information security policy that serves as a foundation for the system. It will comply with it and continuously review it to improve its services.

  • Protection of Information Assets

The Company will institute appropriate management measures according to the state of individual operations to unfailingly protect information assets from any threat to its confidentiality, integrity and availability.

  • Compliance with Laws and Regulations

The Company will comply with applicable laws and regulations, other rules and contractual requirements in order to ensure information security.

  • Education and Training

The Company will offer education and training to personnel engaged in its operations in order to improve their awareness of information security and familiarize them with the information security policy.

  • Prevention of Accidents and Actions

The Company will run its information security management system to ensure that every single employee works to prevent information security accidents from occurring. Should an accident take place, we will swiftly implement appropriate actions, including those for preventing recurrence.

  • Auditing

The Company will regularly audit the operation of its information security management system and carry out remedial actions as needed to maintain information security.

  • Continuous Improvement

Every year we set information security goals, define and plan activities to achieve those objectives, then, according to periodical review results, set the following year’s goals. In addition, we regularly evaluate and review our Information Security Policy, its related internal regulations and our management system, pursuing continuous improvement of information security.

 

Objectives Goal and Our Guidelines of Information Security Implementations

  • General Architecture and Framework

    • ISO/IEC 27001:2018 Information Security Management System (ISMS)

ISO/IEC 27001 is an international standard on how to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and then revised in 2013, the last version remain on 2018.

    • PCI Security Standards

As we know that Payment Card Industry Data Security Standards (PCI DSS) goal was to control the burgeoning levels of payment card fraud and to enhance payment card security. The PCI SSC developed the Payment Card Industry Data Security Standard (PCI DSS) as a detailed and comprehensive standard set of minimum security requirements for cardholder data.

Now a day, as on earlier communication due global demand migrating into digital payment, PCI SSC is now targeting a Q1 2022 publication date for PCI DSS v4.0. This timeline supports the inclusion of an additional request for comments (RFC) for the community to provide feedback on the PCI DSS v4.0 draft validation documents. The PCI DSS v4.0 will seek to add flexibility and support additional methodologies for the purpose of achieving security. (Historically, the standard has been good at this. It’s introduced methodologies like file integrity monitoring (FIM) and vulnerability management (VM) in the past.)

    • Open Web Application Security Project (OWASP)

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

    • Regulator Frameworks

 

  • Electronic Transmission

Full Transmission Control Protocol/Internet Protocol (TCP/IP) – Transport Layer Connection using:

    • Hypertext Transfer Protocol Secure (HTTPS)

An extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet

      • SSL to secure the connection

We use SSL to secure communication between our server and your computer. Transmiting data between our server and your computer is already sent encrypted, but we use SSL to add another layer of protection and to ensure that the web page your browser loads is not tampered with by a third party intercepting your traffic in a MITM (Man in the Middle) attack.

Our primary TLS certificate authority (CA) is Let’s Encrypt, the world’s largest TLS certificate issuer. Let’s Encrypt’s goal of encrypting every connection on the web and its use of open standards wherever possible align with our vision of creating an internet where privacy is the default. To allow extremely security conscious users to further verify that they are in fact connecting to our server, we have also released SHA1 and SHA-256 hash for our TLS public key.

    • HTTP Strict Transport Security (HSTS)

is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

    • Web Application Firewall (WAF)

A web application firewall (WAF) is a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application’s known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.

Content-Personal Data Transmission Protocol on Secure Connection to a comply:

    • Health Insurance Portability and Accountability (HIPAA) Compliance

As mention on 164.312(e)(1) – Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

    • Regulator Compliances

    • Public Concerns

Personal Behaviour Transmission Protocol on Feature/ Permission Policy to opt out:

      • Google FLoC

FLoC is a proposed feature by Google that lets browsers collect, profile, and store usage patterns based on a user’s browsing habits over time. This new type of tracking, which is done directly within the browser, would then be used by Google and its advertising partners for widespread tracking and personalization of ads.

FLoC is part of a larger response by Google to the slow decay (and increased blocking) of third-party cookies on the web. Why? Because as users become more privacy-aware, the ease of tracking and identifying them across multiple websites for the purposes of advertising and surveillance has become much more difficult in recent years. With the proposed FLoC feature enabled, the browser will create “cohorts” that group users with similar browsing habits together. This cohort ID will grow in size and relevance as it continually gathers information about the sites that users visit, the ads that they view, their behavioral patterns, how often they browse, etc.

Each individual cohort is then combined with other cohort IDs when sent to Google, who will then display ads to individual users based on the relevancy of the data that has been collected within their shared cohort.

Our Response to Opt Out FLoC

All PopIt Snack Platform Pages served from the popitsnack.com domain and networks will now have a Permissions-Policy: interest-cohort=() header set.

Pending Technology Feature to opt in:

      • Google Quic (Quick UDP Internet Connections) HTTP/3

Overview
HTTP3, the third official version of hypertext transfer protocol (HTTP), will not use the transmission control protocol (TCP) as did its predecessors. Instead, it uses the quick UDP internet connections (QUIC) protocol developed by Google in 2012.

QUIC is a transport layer protocol based on a multiplexed version of user datagram protocol (UDP) connections. Unlike TCP, UDP does not follow the TCP three-way handshake, but uses a single UDP roundtrip. Thus, the QUIC protocol exponentially improves any web component’s network performances as it uses UDP for every connection between the user-agent and the web server. Also, QUIC relies on multiplexing to manage multiple interactions between the user-agent and server seamlessly over a single connection, without any one blocking another, thus helping with performance improvements compared to its predecessors.

Conclusion
QUIC has been getting full acceptance and browser support; significant websites like YouTube and Facebook have enabled it for faster page loads. As of this writing, only 4% of the top sites currently support QUIC. Microsoft has announced they will be shipping Windows with a general-purpose QUIC library, MsQuic, in the kernel to support various inbox features.

QUIC and HTTP/3 are designed to meet today’s goals of internet and network performance, reliability, and security. There have been significant improvements in security with mandated support for TLS 1.3, addressing the weaknesses with HTTP/2 and prior versions of HTTP. The usage of end-to-end encryption during transit in HTTP/3 helps in defending against several privacy concerns with state actors and data aggregators. However there are some weaknesses, HTTP/3 will continue to evolve and is a significant improvement over to HTTP/2, both from performance and the security perspective. However, it has several well-known issues, most importantly that it does not provide forward secrecy, and that it is prone to side channel attacks that may enable an attacker to learn the session key used for a TLS session. A long history of attacks shows that RSA-PKCS#1 v1.5 is extremely difficult to implement securely.

 

  • Electronic Communication

Full Transmission Transport Layer Security Encryption Protocol (TSL/SMART TSL) Connection using:

    • DMARC (Domain-based Message Authentication, Reporting and Conformance) Compliance

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.

DMARC extends two existing email authentication mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the From: field presented to end users; how the receiver should deal with failures – and a reporting mechanism for actions performed under those policies.

    • SPF (Sender Policy Framework) Compliance

The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organisation can publish authorized mail servers. Together with the DMARC related information, this gives the receiver (or receiving systems) information on how trustworthy the origin of an email is. SPF is, just like DMARC, an email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.

    • DKIM (Domain Keys Indentified Mail) Compliance

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.

Once receiver (or receiving system) determines that an email is signed with a valid DKIM signature, it’s certain that parts of the email among which the message body and attachments haven’t been modified. Usually, DKIM signatures are not visible to end-users, the validation is done on a server level. Though, in practice these goals are achieved more effective if using DKIM record together with DMARC (and even SPF). DMARC use both SPF and DKIM. Together they provide synergy and the best result for email security and deliverability.

    • GPG/ PGP Encryption

GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of “public” and “private” keys for the encryption and signing of messages or data. Private keys are the first half of a GPG key which is used to decrypt messages that are encrypted using the public key, as well as signing messages – a technique used to prove that you own the key. As the name implies, this part of the key should never be shared. Public keys are the second half of a key which is used to encrypt messages for the owner of the private key. As the name implies, this part of the key is safe to give out to the public, as it can only be used to encrypt messages or data for the private key owner.

    • Brand Indicators for Message Identification (BIMI) compliance

Brand Indicators for Message Identification (BIMI) is the latest in email authentication protocols. What makes BIMI unique is that it is subscriber-facing. Your list doesn’t know that you’ve set up SPF, DKIM, and DMARC. But they can see the results of BIMI. The logo in their inbox can be a sign indicating the email is safe to open and engage with. For brands, it’s the pay-off for getting your email authentication practices up to speed.

Email could be just the start for BIMI. In the future, it could also present a way for third-party application developers to pull in logos while giving brands control of what’s displayed.

    • Regulator Compliances

    • Public Concerns

Communicate with other email providers (non encyrpted)

We support sending encrypted communication to non-encyrpted users via symmetric encryption. When you send an encrypted message to a non-encrypted email provider that we have like our Google Mail account, We will sent a link which loads the encrypted message onto browser, which they can decrypt using a our Encyrpted Public PGP Key that you will recieve. You can also send unencrypted messages from any free email providers services such as Gmail, Yahoo, Outlook and others, just like regular email to us. But we recommend you to use the encyrpted mail method for sensitive information.

Communicate with other email providers (no signature)

An e signature is basically all about getting legally binding consent on forms — without the ability to secure a physical signature on a document. So esignatures replace a handwritten signature. They are used for various things like NDAs and onboarding agreements. PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC. using RSA 4096 Encrypted Signature, for every email we sent. The signature doest appear like traditional footer text signature, but will be appear verified checklist near the sender name.

Assessing which rules and regulations apply to an organization is no easy feat. Often, Company need to comply with multiple frameworks and regulations, many of which have overlapping qualities. Checking all the compliance boxes is never enough because being compliant only means meeting the minimum standards.

 

Limitation and Liability Clause

However, regarding a breach of Company commitment, misrepresentation and breach of implied terms, it is possible to limit the parties’ liability if the limitation clause is ‘reasonable‘.

 

Did the information shown in this page help you solve your problem?

The purpose is receiving the feedback from the visitors, so we can make necessary changes to our informations which increase trust and customer satisfaction and make our platform better. For futher information about Customer Research: Designing for Transparency and Trust, please visit our Trust and Transparency Principles. .