1. PHYSICAL SECURITY
1.1 Our physical infrastructure is hosted and managed by our service provider Amazon Web Service (“AWS”). Amazon continually manages risk and undergoes recurring assessments to ensure compliance according to the industry’s standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
1.2. We utilize ISO 27001 and FISMA certified data centers managed by AWS. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
1.3. Our data centers are located in AWS regions and countries. Enterprise customers can specifically request instances to be hosted in a specific region and specific country, ex: United States.
2. NETWORK SECURITY
2.1 All firewall infrastructure and management is provided by AWS. Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to the ports and protocols required for a system’s specific function to mitigate risk. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.
2.2 Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. AWS utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels. Port scanning is prohibited, and every reported instance is investigated by AWS. When port scans are detected, they are stopped and access is blocked.
2.3 Third-party security testing of our service provider is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team.
2.4 In the event of a security incident, our engineers are called in to gather extensive logs from critical host systems and analyze them to respond to the incident in the most appropriate way possible. Gathering and analyzing log information is critical for troubleshooting and investigating issues. AWS allows us to analyze three main log types: system, application, and API logs.
2.5 AWS infrastructure provides DDoS mitigation techniques including TCP SYN cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
2.6 Access to the Our Production Network is restricted by an explicit need-to-know basis. It utilizes least privilege, is frequently audited, and is closely controlled by our Engineering Team through IP whitelisting. In addition, employees accessing the Our Production Network are required to use multiple factors of authentication.
2.7 Our platform uses a single-tenant model where Service Data is stored in Customer-specific instances. Enterprise customers can specifically request that Customer uploaded data is also stored in a Customer-specific instance.
3.1 Our platform is SSL-only and communications between you and our servers are encrypted via industry best-practices (HTTPS). Encryption in transit with TLS across all services. Encrypted message queues for the transmission of sensitive data using server-side encryption (SSE) for Amazon SQS.
3.2 Enterprise customers can specifically request data to be encrypted at rest.
4. AVAILABILITY & CONTINUITY
4.1 Uptime is continuously monitored by our infrastructure team and availability reports can be provided upon request. Enterprise customers can specifically request a guaranteed uptime SLA of 99.9% or 99.99%.
4.2 Our service clustering and network redundancies eliminate single point of failure. Enterprise customers can specifically request a dedicated network configuration for their instance.
4.3 Our service provider’s platform automatically restores customer applications and databases in the case of an outage. The provider’s platform is designed to dynamically deploy applications within its cloud, monitor for failures, and recover failed platform components including customer applications and databases.
5. SECURE DEVELOPMENT (SDLC)
5.1 Our QA department reviews and tests our code base. Dedicated application engineers on staff identify, test, and triage security vulnerabilities in code.
5.2 Testing and staging environments are separated from the production environment. No actual customer data is used in development or test environments.
5.4 Single Sign-On (“SSO”) allows you to authenticate users via your own identity provider systems without requiring users to enter their credentials into our systems. Enterprise customers can specifically request SSO.
5.3 Our platform supports SSO using Google ID Authentication and Microsoft ID Authentication. Enterprise customers can specifically request additional SSO integration with any system that supports SAML.
5.5 Our platform follows secure credential storage best practices by never storing passwords in human-readable format.
5.6 Our API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using API token.
6. ADDITIONAL PRODUCT SECURITY FEATURES
6.1 Access to data within our platform is governed by access rights and can be configured to define access privileges. Our platform has various permission levels for the organization and users.
6.2 All communications with AWS are encrypted using industry standard HTTPS. This ensures that all traffic between you and Our platform is secure during transit.
6.3 We highly encourage You to use SSO authentication, because when using SSO authentication, we do not store usernames and passwords in our platform. When not using SSO authentication, our platform does not store passwords in cleartext.
6.4 Third-Party Users can only be granted access into the system through invitation or sponsorship from an existing user. In addition, Third-Party Users are only granted temporary access that will self-expire.
7. SECURITY AWARENESS
7.1 We have a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees and contractors with access to our platform.
7.2 All employees are continually trained and made aware of security updates via alerts, emails, and presentations during internal events.
8. EMPLOYEE VETTING AND ACCESS
8.1 We perform background checks on all new employees in accordance with local laws. The background check includes Criminal, Education, and Employment Verification.
8.2 All new hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality Agreements. Failure to comply with Our policies, Non-Disclosure and Confidentiality Agreements will result in initiating our Disciplinary Policy.
8.3 Employees' emails are continually scanned by virus-scanners, malware checkers, and hacking and phishing attempts.
8.4 All employees are on a strict need-to-know basis regarding Our Production Network and only accessible via Our SSO. Upon termination, SSO, network access, equipment access is revoked.