Silicon Prairie Online
Privacy & Cybersecurity Policies Statement

Effective 2016.12.15

Silicon Prairie Online Portal & Exchange llc d/b/a Silicon Prairie Online (“us”, “we”, or “our”) operates https://sppx.io (the “Site”). This page informs you of our policies regarding the collection, use and disclosure of Personally Identifiable Information ("PII") we receive from users of the Site as well as our cybersecurity policies and procedures with respect to data breach and notifications.

Information Collection And Use

We use your Personal Information only for providing the services offered and improving the Site. By using the Site, you agree to the collection and use of information in accordance with this policy. While using our Site, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

  • Your name & email address
  • Addresses & phone numbers
  • Drivers License number & image
  • SSN (if you are an issuer or investor)

Privacy & Security

The privacy & security of your Personal Information is important to us. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security. You have a right to request a copy of all PII that we maintain on your behalf and to amend or correct the PII, as well as the right to have your account disabled. We have certain regulatory obligations to maintain investor records for a period of time up to and including seven (7) years or as directed by local, state and federal authorities.

Cyber Security

We use a combination of administrative, preventative and detective controls to assure our site and our users data is secured against cybersecurity attacks to maintain Confidentiality, Integrity and Availability. All hardware is owned and managed by our staff directly and data center company staff do not have administrative access.

We follow industry best practices with regard to our data center deployments including but not limited to:

  • Distributed Denial of Service (“DDOS”) protection
  • Web application & network firewalls
  • Network segmentation (“DMZ”)
  • Protocol breaks and inspection
  • All web traffic uses Secure Socket Layers (“SSL”)
  • Two-Factor Authentication (“2FA”) required for administrative access


    Our portal software is built upon a fine-grained role based access control system (“RBAC”) to assure that there is a segregation between regular users, vetted investors, issuers, and partners.

    The system implements an anti-automation mechanism to prevent against sophisticated “robo-attacks” on user accounts as well as a failed login lockout mechanism that blocks a user from logging in after seven attempts. Administrative staff is notified automatically via email when a user or host is blocked.

    SECURITY MONITORING AND INCIDENT RESPONSE

    We leverage network and endpoint-based controls to facilitate security logging and monitoring of user activities, exceptions, faults, and events in accordance with business, legal, and regulatory requirements. Collected logs and associated analysis are appropriately archived, protected from unauthorized access, and regularly reviewed.

    We have established and maintain an incident response process and where required, reporting processes for disclosures of PII in the event of data loss or a data breach. If we have reason to believe that a user’s data was compromised we will:

    1. Notify them in writing at the last known address on file, or
    2. Notify them by email if that is their preferred method of contact
    3. Notify all recognized consumer reporting agencies in the event the breach exceeds 500 records

    All notifications will be in within 48 hours of discovery unless otherwise requested by law enforcement. We will also notify respective state administrators according to their individual disclosure requirements. In Minnesota it is pursuant to section 325E.61

    We encourage reporting from our employees, investors, issuers and others of any and all suspicious activities to [email protected]

    Changes To This Policy

    This policy is effective as of the date noted at the top and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page. We reserve the right to update or change our Privacy & Cybersecurity Policy Statement at any time and you should check this policy periodically. Your continued use of the Service after we post any modifications to the Security and Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified policy. If we make any material changes to this policy, we will notify you either through the email address you have provided us, or by placing a prominent notice on the Site.