Data hosting & physical security
We use Amazon Web Services (AWS) data centers in the United States, specifically in the us-east-1 facilities. These data centers and associated systems are best-in-class and meet numerous certifications including ISO 27001 and SOC 1-3. We follow AWS security best practices, leveraging AWS Security Hub and AWS Config to check and manage infrastructural security.
Access to physical and application systems is restricted to least-privilege and has strict safeguards like multi-factor authentication. Such access is also logged and monitored per our policies.
Data in encrypted in transit and at rest. Data in transit is encrypted using Transport Layer Security (TLS), enforced with features like HTTP Strict Transport Security (HSTS). Encryption of data at rest (including backups) uses the industry standard AES-256 algorithm, and is handled transparently by AWS services themselves, such as AWS Relational Data Store (RDS), using keys managed by AWS Key Management Store (KMS).
Isolation and public IPs
Our virtual servers are logically isolated within an AWS virtual private cloud (VPC), and do not have public IPs. AWS security groups, network access control, and internet gateways control access to our internal network and block unauthorized access.
DDoS and firewall
We have a robust, layered infrastructure to control access to the application, including Cloudflare, AWS Cloudfront, AWS Web Application Firewall (WAF), and AWS Shield. These top-level systems prevent malicious requests from reaching the application.
Intrusion Detection and Prevention
We use services like Amazon GuardDuty to continuously monitor for malicious activity and unauthorized behavior to protect the application, network, and data. When security events exceed determined thresholds, our security team acts fast, in accordance with our policies.
Database are backed up on a daily basis and encrypted. Our recovery procedures leverage systems like point-in-time logs and redundant version control to recover data much closer to failures. Our recovery policies enable us to restore service in the event of such unavoidable failures.
Audit logs exist at all levels, including network, database, AWS console, and application. These logs are streamed to AWS CloudWatch for viewing and analysis, as well as being held at the server-level and redundantly archived on Amazon S3.
Passwords and access attempts
Passwords are never stored in plaintext and are only transmitted using TLS. Credentials as stored as one-way hashes, generated using the PBKDF2
algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST
. We also enforce a password complexity standard. Login attempts are tracked and after a small number of attempts, authentication will be blocked.
We use mature, open-source, modern application frameworks and libraries in both the frontend and backend applications, which come with robust security controls, limiting risks like the OWASP Top 10, and protecting against Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), SQL Injection (SQLi), and many more.
Application access is strictly managed per our policies and is governed by object-level role-based access control (RBAC). Granular roles include administrators, contributors, viewers, and more.
We have a robust QA process that uses software development version control, code review, and manual and automated testing. Environments are isolated and live customer data is never used in testing and staging environments.
Exercising Your Rights
If you would like to exercise your rights under the GDPR, please submit your request to firstname.lastname@example.org.
If you would like to exercise your rights under California law with respect to your personal information, please submit your request to email@example.com
We're always happy to provide more detail, just email us at firstname.lastname@example.org or ask your sales representative.