VisionMenu Data Security and Assess Compliance Summary

At VisionMenu, we follow a strict information security protocol set out in detail in our Written Information Security Policy (“WISP”).  Our WISP implements administrative, technical, and physical safeguards to assure that any information belonging to you or your customers in our possession remains safe from unauthorized disclosure or unauthorized transmission.  A few of the salient features of VisionMenu’s WISP are listed below, to better acquaint you with the seriousness with which VisionMenu takes the protection of your and your customer’s data.

Technical Safeguards

Servers

VisionMenu’s servers are maintained in a secured environment using a third party datacenter certified to the international standard for information security, ISO 27001. Since 2009, the Security Management system has provided the foundation for an integrated and sustainable security model working in tandem with other security controls such as PCI-DSS. It is subject to on-going external assessment with a full re-assessment every three years.

Data Protection

Servers are backed up to a centralized Managed Backup Storage System.  The schedule is Weekly Full and Daily Differential backups for a determined retention period.

FireWalls

VisionMenu’s firewalls provide a level of security and have earned many industry accolades including ICSA Firewall and IPSec certification requirements and Common Criteria EAL4 evaluation status.
Our datacenter provider deploys firewalls in a maximum secure state, with ports/services closed/off from untrusted to trusted networks.  Additionally, VisionMenu specifies IP address ranges to be used to tightly restrict remote administration and Routers are configured to prevent Denial of Service (DoS) attacks through the use of anti-spoofing Access Control Listings (ACLs).

Access to Network Devices

Our datacenter provider secures access to core networking infrastructure utilizing inherent access control functionality in TACACS+ software. TACACS+ is an industry standard network device access control system. Processes are in place to review the TACACS+ access lists on a quarterly basis to verify those users on the list still require access. Any discrepancies found are corrected immediately. Access to
network devices via TACACS+ is initially provisioned only to those employees that require it on a role
specific basis.

Encryption of Sensitive Documents

Original and signed .pdfs, as well as PNG images transmitted to devices, are stored encrypted on our file server with an AES-256 encryption algorithm. The AES-256 encryption algorithm is used by the U. S. Government to encrypt “Top Secret” information. When documents and signatures are sent from or to devices, those are encrypted with TLS 1.2 and AES-256 (the most secure cryptographic protocol commonly available to all web browsers).

Document Isolation

Dealers can only access documents for dealerships they have been given permission to access. For instance, if a dealership customer includes the flagship as well as three sister stores, the dealership customer can access documents generated from those four dealerships. However, they cannot access the documents for any of the other dealership customers in the system.

Retention and Disposal of Documents

VisionMenu maintains a records retention policy in written form that identifies what information must be kept, how that information is secured, how long we keep the information, and how we dispose of it securely after it is time to dispose. When disposing of sensitive information, we are sensitive ensuring our practices are reasonable and appropriate to prevent unauthorized access. For example, when disposing of paper records, the paper records are shredded, burned or pulverized before discarding, and we use a wipe utility program to erase all data on a hardware device before discarding the device.

Strong Password Protection

Logical access to core networking equipment and VisionMenu resources requires strong password access and is granted only to those employees in roles that require such access. These password protections also ensure that access is granted to active user accounts only, and access is blocked to a particular user after multiple unsuccessful attempts to gain access. 

Administrative Safeguards

Managing Corporate Network Technical Vulnerabilities

VisionMenu’s datacenter maintains an ISO27001 certified internal vulnerability management policy that includes regular vulnerability assessments of the corporate network intended to identify, assess and remediate technical vulnerabilities. In addition, the PCI Merchant program requires quarterly scans of the internal network for vulnerabilities; remediation follows PCI standard guidelines.

Event Logging and Transaction Documentation

When a car buyer signs a document (or undoes a signature), accepts a disclaimer (eSignature, multi-page), or chooses to have the documents printed or emailed to them (Delivery consent), the following is stored: (i) The F&I user requesting and witnessing the signature of the documents; (ii) The IP address the signature or request came from; and (iii) the timestamp of each signature or request. 

Employee Training

All VisionMenu employees or contractors with access to nonpublic personal information are trained and retrained extensively on the procedures and protocols of VisionMenu’s WISP.

Breach Notification

The occurrence of a breach is an unfortunate possibility that no level of security—even the superior security measures taken by VisionMenu—can erase.   We can, however, ensure that you and your customers are promptly informed if your information is ever at risk.  In the event of a data breach, we will promptly alert all potentially affected individuals and entities of the nature and timing of the breach, especially the Disclosure and Notification Requirements under Indiana Law, found at I.C. 24-4.9-3.

Dealings with Contractors and Service Providers

Before we outsource any of our business functions (e.g. payroll, employee benefits), the data security practices of the potential service provider are investigated. VisionMenu’s security expectations are put into writing in our contracts with the service providers, and compliance is periodically verified.