Who we are
Our website address is: https://www.kickingpanda.com.
Our business address is:
20687 Amar Road Ste 2-900
Walnut, CA 91789
Data Protection Policy
1. Network Protection
We will implement network protection controls (e.g. VPC subnet/Security Groups, Virtual Networks, network firewalls) to deny access to unauthorized IP addresses.
2. Access Management
We will not create or use generic, shared, or default login credentials or user accounts, and will implement baselining mechanisms to ensure that at all times only the required user accounts access private information. We will regularly review the list of people and services with access to private information on a regular basis (at least quarterly), and remove accounts that no longer require access.
3. Encryption in Transit
All data in transit must be accomplished over TLS/HTTPS. In the case we are working with legacy systems, we highly recommend converting to HTTPS, as we must enforce this security control on all applicable external endpoints used by customers as well as internal communication channels and operational tooling. Unsecured communication channels will be disabled.
4. Incident Response Plan
Plans and Tooling will be in place to detect and handle security incidents, which identify the incident response roles and responsibilities, define incident types that may impact third-parties, define incident response procedures for defined incident types, and define an escalation path and procedures to escalate Security Incidents to respective parties. Such Plans and Tooling will be reviewed and verify the plan every 6 months.
Data breaches require the client (customer), users, third-party APIs and all other parties to be notified within 72 hours, unless otherwise specified by the parties rules and regulations (e.g. Amazon requires 24 hour notice).
5. Request for Deletion and Return
We will respond with data requests within 72 hours and you may ask for data to be permanently deleted, with written confirmation after it is completed.
6. Data Governance
We will create, document, and abide by a privacy and data handling policy for their Applications or services which govern the appropriate conduct and technical controls to be applied in managing and protecting information assets.
7. Encryption and Storage
All data at rest must be encrypted. The cryptographic materials and cryptographic capabilities used for encryption will only accessible to the our processes and services, and will never be shared. Data will never be persisted using removable media (e.g., USB) or unsecured public cloud applications (e.g., public links made available through Google Drive) unless their is written consent via the client.
8. Least Privilege Principle
We implement fine-grained access control mechanisms to allow granting rights to any party using the Application and the Application’s operators following the principle of least privilege, which means data is protected under a unique access role, and access should be granted on a “need-to-know” basis.
9. Logging and Monitoring
We have our own proprietary logging and monitoring system which gathers logs to detect security-related events to Applications and systems. All logs are only accessible privately by us and we prevent any unauthorized access and tampering throughout their lifecycle. Our internal system contains mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions. In case their is an incident, it will be dealt with in accordance with our Incident Response Plan.
We audit our data policies and security best practices regularly, as well as follow updates on Amazon, Google, and Azure’s best practices.
What personal data we collect and why we collect it
Cloud Account Credentials
We will never ask for you access to your AWS/GCP/Azure cloud credentials. These cloud systems have systems for assigning permissions to our Cloud accounts. We will conform to best practices to protect our own cloud accounts in order to keep your data and processes safe.
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
Who we share your data with
No one. All your data is kept private and never shared with any advertisers.
How long we retain your data
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
How we protect your data
Databases are encrypted. All our projects are hosted on AWS, Google Cloud, or Azure and the data is protected by their systems’ policies. Any data submitted must be submitted over the latest secure HTTPS/TLS. Reasonable measures are taken to ensure encryption technology is kept up to date.
What data breach procedures we have in place
Data breaches require the client (customer), users, third-party APIs and all other parties to be notified within 72 hours. Services should be stopped until the breach can be secured and the nature of the data breach will be taken into consideration and swift action should be taken.
Industry regulatory disclosure requirements
Smush sends images to the WPMU DEV servers to optimize them for web use. This includes the transfer of EXIF data. The EXIF data will either be stripped or returned as it is. It is not stored on the WPMU DEV servers.
Smush uses a third-party email service (Drip) to send informational emails to the site administrator. The administrator’s email address is sent to Drip and a cookie is set by the service. Only administrator information is collected by Drip.