Security

At ByWater, we take data security and privacy very seriously. This page provides some general information about our practices to give you confidence in how we secure your data.

Trust

• ByWater will never sell, rent, or provide information to third parties to help them advertise to you or your library patrons. You may elect to allow third parties to access your data, but we will never do this on your behalf. Any integration you wish to allow data access to your ByWater products for the purposes of marketing must be requested of the third party directly by you.

• Your data does not leave its country of origin (without previous agreement and authorization)

• Our financial interests are aligned with yours - we make money when you see value in and purchase one of our paid product offerings, ex. Koha Library Management System, Aspen Discovery, Libki, or Metabase

• Rest assured that we do not want or need any private or sensitive data from your library. It’s our view that using libraries’ personal or sensitive data in any manner other than to provide our services would be unethical, and inconsistent with ByWater’s values.

Compliance - Certifications

• ByWater is TXRamp Level 1 provisionally certified.

Compliance - Infrastructure

• ‍Our services are hosted in multiple cloud environments, including Rackspace Dedicated Hosting, AWS, and Google Cloud which continuously maintain certification for a variety of global security and compliance frameworks.

Application Security

• We use TLS everywhere in the use of our applications.

• Your data is encrypted at rest and in transit using industry standards.

• We regularly scan our applications for vulnerabilities using automated tools and apply security patches to vulnerable components.

• When you pay ByWater Solutions, we prefer ACH and you input all of the information, we do not store it.

Data Protection and Disaster Recovery

• Our systems were designed and built with disaster recovery in mind.

• Our data is automatically backed up daily and we regularly test that our backups are working and can be easily restored.

• Backups are stored using industry standard encryption, and long term backups are stored offsite for redundancy.

What happens to library data if we cease our relationship?

• Should you choose to leave ByWater Solutions hosted Koha solution, your data will be retained until we are certain you have received the final copy of your data. At that time (normally less than a week after your sunset date), all backups, data, and systems will be purged from our infrastructure.

Corporate Security

• We require screensaver locks, password manager use, and automatic updates to be enabled on company owned laptops and devices.

• We implement a human review process augmented by automated checks to ensure consistent quality in our software development practices.

• Access to services, source code, and third-party tools are secured with two-factor authentication whenever possible.

• Employees are given the lowest level of access that allows them to get their work done and data access is logged.

• Our employee contracts include a confidentiality agreement.

• Personnel undergo role-based personnel screening before hiring.

• Employees receive regular security awareness training

Responsible Disclosure

• If you’ve discovered a vulnerability in any of our applications, please contact us through our ticketing system. We review all security concerns brought to our attention, and we take a proactive approach to emerging security issues.

• We prioritize clearly written reports with reproducible examples for Koha, Aspen Discovery, Libki, and Metabase, as members of those Open Source communities.