AS OF: SEPTEMBER 11, 2023
Security & Compliance Policy.
We are committed to the security of your application’s data. As part of this commitment, we use a variety of industry-standard security technologies and procedures to protect your information from unauthorized access, use, or disclosure.
Our security program is led by the Chief Technology Officer and is responsible for the following areas:
- Application Security
- Infrastructure and Network Security
- Compliance
- Privacy
- Corporate Security
- Physical Security
Data Centers
Our primary data center, where data is stored and encrypted at rest, is located in the AWS ap-southeast-2 (Sydney) region. We also utilize a global points-of-presence network to deliver fast and reliable experience to users anywhere in the world. Our data center provider complies with top certifications, including ISO 27001, AICPA SOC 2 and 3, PCI DSS, HIPAA, and more.
Meeting Your Compliance Requirements
Data Encryption
For our Compliant SaaS accounts, all raw data is encrypted at rest. The data that is being requested is decrypted only when requested by an authenticated member of the subscription. This provides an additional level of protection should we ever encounter a breach of its infrastructure. In this case, if data was ever lost, it would be protected by the best industry standards in encryption technology and the data would be useless to the attacker since it would appear to be randomized data.
All data in transit is sent through https (TLS) encrypted connections. This ensures the confidentiality and integrity of the data sent between our application and the customer.
Data Removal
On designated plans with data encryption at rest, data removal can be accomplished by destroying the customer’s encryption key from our encryption key store. This will have the same effect of removing the data from the database. This option would normally be used to remove all account data.
On plans that do not use the database encryption, data can be purged from the database and will fall out of backups over seven days. This option is also used for one-off deletions of specific data.
Customized Data Retention
Data Privacy
Access to account data by our employees is limited to a necessary set of users consistent with their assigned responsibilities. We believe in the concepts of ‘need to know’ and ‘least privileged’.
In addition to this, you are ultimately in control of what data is sent to us. We provide you the ability to filter out information you don’t want to send to us in the client configuration. This may be due to regulatory issues like PCI-DSS, or any other possible privacy concern that you might have.
Contingency Plans and Operations
Risk Management
Security Policies
We have the following security policies and will make them available for customer review under an NDA. All policies are updated as needed.
- Production Data Usage Policy
- Access Control Policy
- Our Vulnerability and Patch Management Policy
- Responsible Disclosure Policy