AS OF: SEPTEMBER 11, 2023

Security & Compliance Policy.

We are committed to the security of your application’s data. As part of this commitment, we use a variety of industry-standard security technologies and procedures to protect your information from unauthorized access, use, or disclosure.

Our security program is led by the Chief Technology Officer and is responsible for the following areas:

  • Application Security
  • Infrastructure and Network Security
  • Compliance
  • Privacy
  • Corporate Security
  • Physical Security

 

Data Centers

Our primary data center, where data is stored and encrypted at rest, is located in the AWS ap-southeast-2 (Sydney) region. We also utilize a global points-of-presence network to deliver fast and reliable experience to users anywhere in the world. Our data center provider complies with top certifications, including ISO 27001, AICPA SOC 2 and 3, PCI DSS, HIPAA, and more.

 

Meeting Your Compliance Requirements

Data Encryption 

For our Compliant SaaS accounts, all raw data is encrypted at rest. The data that is being requested is decrypted only when requested by an authenticated member of the subscription. This provides an additional level of protection should we ever encounter a breach of its infrastructure. In this case, if data was ever lost, it would be protected by the best industry standards in encryption technology and the data would be useless to the attacker since it would appear to be randomized data.

All data in transit is sent through https (TLS) encrypted connections. This ensures the confidentiality and integrity of the data sent between our application and the customer.

 

Data Removal 

On designated plans with data encryption at rest, data removal can be accomplished by destroying the customer’s encryption key from our encryption key store. This will have the same effect of removing the data from the database. This option would normally be used to remove all account data.

On plans that do not use the database encryption, data can be purged from the database and will fall out of backups over seven days. This option is also used for one-off deletions of specific data.

Customized Data Retention

Our standard data retention is 365 days. Through our Compliant SaaS solution we may accommodate data retention plans of varying lengths to meet your compliance and regulatory requirements.

Data Privacy

Access to account data by our employees is limited to a necessary set of users consistent with their assigned responsibilities. We believe in the concepts of ‘need to know’ and ‘least privileged’.

In addition to this, you are ultimately in control of what data is sent to us. We provide you the ability to filter out information you don’t want to send to us in the client configuration. This may be due to regulatory issues like PCI-DSS, or any other possible privacy concern that you might have.

Contingency Plans and Operations

We have a documented and tested Contingency Plan and Disaster Recovery plan. These plans are tested at least annually or when there is a major change in our environment. Lessons learned from the tests are compiled and are remediated by our engineering department.

Risk Management

We engage in performing Risk Management on a regular basis and update the Risk Management document as items progress. However, the official Risk Management document is reviewed and updated on an annual basis. Our main goals in Risk Management are the continuation of our service along with the confidentiality, integrity, and availability of customer data.

 

Security Policies

We have the following security policies and will make them available for customer review under an NDA. All policies are updated as needed.

  • Production Data Usage Policy
  • Access Control Policy
  • Our Vulnerability and Patch Management Policy
  • Responsible Disclosure Policy
We aim to keep our service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in our service, we appreciate your help in disclosing it to us in a responsible manner. For more information, please see our Responsible Disclosure Policy.