Security Policy
Securing your trust is our top priority. Learn about our robust security measures in place to safeguard your data and ensure a protected online environment.
Securing your trust is our top priority. Learn about our robust security measures in place to safeguard your data and ensure a protected online environment.
We understand the paramount importance of security in all aspects of our operations. We are committed to providing a safe and secure environment for our users. Our security policy covers a range of key areas to ensure the protection of your data and privacy.
We have implemented a comprehensive Information Security Management System (ISMS) that outlines our security objectives, identifies potential risks, and prescribes effective mitigations. Our policies and procedures are designed to safeguard the security, availability, processing, integrity, and confidentiality of your data.
To maintain the highest level of trust, every member of our team undergoes a rigorous background verification process. We partner with reputable external agencies to conduct thorough checks, including criminal records, previous employment history, and educational background. No employee is assigned tasks that may pose risks to our users until this vetting process is successfully completed.
Our commitment to security extends to our employees. Upon joining our team, each member signs a confidentiality agreement and an acceptable use policy. They then receive training in information security, privacy, and compliance. To ensure their understanding, we conduct tests and quizzes, identifying areas where additional training may be necessary. We provide ongoing education within our internal community, keeping our team informed and up to date with our security practices. Periodic internal events are also hosted to promote awareness and encourage innovation in the realm of security and privacy.
We have dedicated security and privacy teams responsible for executing and managing our security and privacy programs. Our team engineers and maintains our defense systems, establishes review processes for security, and maintains continuous network monitoring to identify any suspicious activity. Additionally, they provide specialized consulting services and guidance to our engineering teams.
Our dedicated compliance team regularly reviews our procedures and policies to ensure alignment with industry standards. They identify the necessary controls, processes, and systems required to meet these standards. This team conducts internal audits and facilitates independent audits and assessments by third parties to guarantee the highest level of compliance.
All workstations provided to (Website Name) employees adhere to stringent security standards. They run up-to-date operating systems and are equipped with anti-virus software. Our workstations are configured to encrypt data at rest, use strong passwords, and automatically lock when idle. Mobile devices used for business purposes are enrolled in our mobile device management system to ensure they meet our security standards.
At (Website Name), your security is our top priority. We are committed to maintaining a secure environment for your data and privacy.
We prioritize the security of our physical assets, ensuring the safety of our workplaces and data centers.
Access to our facilities, including buildings, infrastructure, and premises, is meticulously controlled through access cards. These access cards are tailored to the specific needs of employees, contractors, vendors, and visitors, ensuring they can only access areas relevant to their roles. Our Human Resource (HR) team plays a pivotal role in defining and managing these access privileges. We maintain comprehensive access logs to promptly identify and address any unusual access patterns.
Our data centers operate under the supervision of reputable colocation providers who oversee building management, power, cooling, and physical security. Only a select group of authorized personnel have access to these data centers, and additional access requests require managerial approval. To enhance security, we implement a stringent two-factor authentication and biometric authentication process. Access logs, activity records, and camera footage are available in case of any security incidents.
We maintain a watchful eye on all activities within our premises, including our business centers and data centers. This surveillance is facilitated through strategically placed CCTV cameras, ensuring compliance with local regulations. We also retain backup footage for a specific period, as required by each location.
We've established a multi-layered approach to network security. Firewalls are in place to prevent unauthorized access and filter out undesirable traffic. Our systems are organized into separate networks to safeguard sensitive data, with distinct networks dedicated to testing and development activities. Regular monitoring of firewall access occurs on a strict schedule, with daily reviews of any changes. Semi-annual reviews are also conducted to refine and update rules. Our dedicated Network Operations Center team continuously monitors our infrastructure and applications for any anomalies or suspicious activities. We employ a proprietary monitoring tool to keep a vigilant watch on essential parameters, triggering alerts at the first sign of any abnormal or suspicious activities in our production environment.
To ensure uninterrupted service, all components of our platform are redundant. We've adopted a distributed grid architecture that shields our system and services from potential server failures. Even in the event of a server failure, users can continue without disruption, as their data and (Website Name) services remain accessible.
We've also implemented multiple switches, routers, and security gateways to establish device-level redundancy, eliminating single points of failure in our internal network.
(Website Name) collaborates with reputable service providers to deploy advanced DDoS prevention technologies that shield our servers from disruptive attacks. These technologies offer robust DDoS mitigation capabilities to weed out malicious traffic while permitting legitimate traffic to flow smoothly. This ensures our websites, applications, and APIs remain highly available and perform efficiently.
Every server designated for development and testing activities undergoes hardening, which involves disabling unused ports, accounts, and removing default passwords. The base Operating System (OS) image is configured with server hardening measures, ensuring consistency across all servers.
Our intrusion detection system keeps a vigilant eye on host-based signals and network-based signals, both from individual devices and monitoring points within our servers. Administrative access, privileged commands, and system calls across all servers in our production network are meticulously logged. Security engineers rely on these logs, combined with rule-based machine intelligence, to receive early warnings of potential incidents. At the application layer, we utilize our proprietary Web Application Firewall (WAF), which operates on a combination of whitelist and blacklist rules.
At the Internet Service Providers (ISP) level, we employ a multi-layered security approach that includes scrubbing, network routing, rate limiting, and filtering to counter attacks from the network layer to the application layer. This system ensures clean traffic, reliable proxy services, and prompt reporting of any attacks.
At (Website Name), we are dedicated to safeguarding your data and ensuring the highest level of security across our infrastructure.
Our security is at the core of our operations. We implement robust measures to protect your data and ensure a secure environment.
Every change and new feature at (Website Name) undergoes rigorous scrutiny through our change management policy to ensure that all application changes are authorized before they are rolled out to production. We strictly adhere to secure coding guidelines in our Software Development Life Cycle (SDLC). All code changes are meticulously screened for potential security issues, utilizing code analyzers, vulnerability scanners, and manual review processes.
Our security framework, founded on OWASP standards, is implemented at the application layer to defend against threats like SQL injection, Cross-Site Scripting, and application layer Denial of Service (DOS) attacks.
We understand the significance of data isolation and have adopted stringent protocols to guarantee the separation of customer data. Our framework ensures that each customer's service data is logically partitioned from others, maintaining the privacy and security of your data.
Your data is your own, and we do not share it with any third party without your explicit consent.
your data is transmitted to our servers over public networks, it is shielded with robust encryption protocols. We mandate that all connections to our servers use Transport Layer Security (TLS) 1.2/1.3 encryption with strong ciphers. This encryption applies to all connections, including web access, API access, mobile apps, and IMAP/POP/SMTP email client access. For email, we utilize opportunistic TLS by default, ensuring the secure transfer of data between mail servers where peer services support this protocol.
We proudly support Perfect Forward Secrecy (PFS) on our encrypted connections. This means that even if we were to be compromised in the future, previous communications would remain secure. Additionally, we've enabled HTTP Strict Transport Security (HSTS) on all our web connections, ensuring that modern browsers only connect to us over an encrypted connection. On the web, we label all our authentication cookies as secure.
Sensitive customer data at rest is fortified with 256-bit Advanced Encryption Standard (AES). We maintain and manage the encryption keys in-house through our Key Management Service (KMS). We further enhance security by encrypting data encryption keys with master keys. These master keys and data encryption keys are physically separated and stored on different servers with restricted access.
We respect your data and will retain it for as long as you continue to use (Website Name) Services. If you decide to terminate your (Website Name) user account, your data will be deleted from the active database during the next scheduled cleanup, which occurs once every six months. Any data removed from the active database is also deleted from backups after three months. In cases where unpaid accounts remain inactive for a continuous period of 120 days, we may issue prior notice and provide an option to back up your data before account termination.
We ensure that the disposal of unusable devices is conducted by verified and authorized vendors. Until disposal, we securely store these devices. Any information contained within these devices is formatted before disposal. For failed hard drives, we use a process called degaussing followed by physical shredding, ensuring data cannot be retrieved. Similarly, for failed Solid State Devices (SSDs), we employ crypto-erasure and shredding to safeguard sensitive information.
(Website Name) offers Single Sign-On (SSO) for a seamless login experience, allowing users to access multiple services with a single sign-in page and authentication credentials. Your sign-in to any (Website Name) service takes place through our integrated Identity and Access Management (IAM) service. We also support SAML for SSO, enabling customers to integrate their company's identity provider, such as LDAP or ADFS, when logging into (Website Name) services.
SSO simplifies the login process, ensures compliance, enhances access control and reporting, and reduces the risk of password-related security issues.
We provide an additional layer of security with Multi-Factor Authentication (MFA), requiring users to provide an extra verification factor in addition to their password. This significantly reduces the risk of unauthorized access in the event of a compromised password. Our MFA options include biometric Touch ID or Face ID, Push Notification, QR code, and Time-based OTP. We also support Yubikey Hardware Security Key for MFA.
To maintain the utmost security and protect user data, we employ strict technical access controls and internal policies to prevent employees from accessing user data arbitrarily. We strictly adhere to the principles of least privilege and role-based permissions to minimize data exposure risks.
Access to production environments is centralized and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. This access is facilitated through a separate network with stringent rules and hardened devices. We log all operations and conduct periodic audits to ensure the security of your data.
At (Website Name), your data security is a top priority, and we are dedicated to providing a secure environment for your information and ensuring your peace of mind.
At (Website Name), operational security is a fundamental component of our commitment to safeguarding your data and ensuring uninterrupted service. Here's how we ensure operational security:
We employ comprehensive logging and monitoring systems to gather data from various sources, including services, internal network traffic, and device usage. This information is stored as event logs, audit logs, fault logs, administrator logs, and operator logs. These logs undergo automatic monitoring and analysis to identify anomalies, such as unusual activities in employee accounts or attempts to access customer data. To maintain their integrity, these logs are securely stored on a server isolated from full system access, allowing for centralized access control and ensuring availability.
Moreover, our detailed audit logs cover all update and delete operations performed by users, providing transparency and accountability in every (Website Name) service.
We are dedicated to identifying and mitigating security threats through a robust vulnerability management process. This process includes active scanning for vulnerabilities using certified third-party scanning tools, in-house tools, and a combination of automated and manual penetration testing efforts. Our security team continuously monitors public mailing lists, blogs, wikis, and inbound security reports to stay vigilant against potential threats that could impact our infrastructure.
When a vulnerability is detected, it is meticulously logged, prioritized based on severity, and assigned to an owner for resolution. We assess associated risks and closely track the vulnerability until it is effectively addressed through system patches or relevant controls.
(Website Name) employs an automated scanning system to scan all user files and prevent the spread of malware throughout our ecosystem. Our anti-malware engine receives regular updates from external threat intelligence sources and scans files against blacklisted signatures and malicious patterns. We also utilize a proprietary detection engine enhanced with machine learning techniques to protect customer data from malware.
To combat spam, we implement Domain-based Message Authentication, Reporting, and Conformance (DMARC), which verifies the authenticity of messages through SPF and DKIM checks. Our dedicated anti-spam team actively monitors signals from our software and addresses abuse complaints to ensure a secure and spam-free environment.
To safeguard your data, we conduct daily incremental backups and weekly full backups of our databases using the (Website Name) Admin Console (ZAC) for (Website Name)'s Data Centers. These backups are stored in the same location and encrypted with a robust AES-256 bit algorithm, in tar.gz format. All backup data is retained for three months. If you ever require data recovery within this retention period, we will promptly restore your data and provide secure access based on the complexity and size of the data.
We ensure the safety of our backup data through a redundant array of independent disks (RAID) in our backup servers. All backups are scheduled and regularly monitored. In the rare event of a failure, re-runs are initiated and resolved without delay. Full backup integrity and validation checks are automatically performed using the ZAC tool.
For added peace of mind, we strongly recommend that you schedule regular backups of your data by exporting it from (Website Name) services and storing it locally within your infrastructure.
Application data is stored on resilient storage replicated across data centers. In the event of a primary data center failure, the secondary data center seamlessly takes over, ensuring minimal to no downtime. Both centers are equipped with multiple Internet Service Providers (ISPs) for redundancy.
To further fortify our operations, we have implemented power backup systems, temperature control, and fire prevention measures as physical safeguards. These measures, along with redundant data, support a comprehensive business continuity plan that covers our key operations, including support and infrastructure management.
At (Website Name), we are committed to maintaining operational security that ensures the availability, integrity, and confidentiality of your data, providing you with a reliable and secure online experience.
At (Website Name), we are dedicated to effective incident management to protect your data and maintain the security of our environment. Here's how we manage incidents:
We've established a specialized incident management team that promptly identifies, addresses, and reports incidents affecting your interests. In case of applicable incidents, we'll provide you with necessary evidence, such as application and audit logs, and suggest any actions you might need to take. We implement preventive measures to minimize the likelihood of similar incidents in the future.
If you report a security or privacy incident to us at incidents@(Website Name).com, we'll give it high priority. For general incidents, we'll inform our users through our blogs, forums, and social media. However, for incidents specific to individual users or organizations, we'll send notifications via email to the concerned party using their primary email address registered with us.
As data controllers, we adhere to the General Data Protection Regulation (GDPR) and notify the concerned Data Protection Authority of any breaches within 72 hours of becoming aware of them. If required, we also notify our customers. As data processors, we promptly inform the concerned data controllers.
We value the expertise of security researchers and have established a "Bug Bounty" program to encourage their contributions. This program recognizes and rewards researchers for their work. We collaborate with the community to verify, reproduce, and address reported vulnerabilities. If you discover any vulnerabilities, please submit the issues at [Website Name Bug Bounty]. You can also report vulnerabilities directly to us by emailing security@(Website Name).com.
We carefully evaluate and qualify our vendors based on our vendor management policy. Before onboarding new vendors, we assess their service delivery processes and perform risk assessments. To maintain the security standards we promise our customers, we establish agreements with vendors that require them to uphold confidentiality, availability, and integrity commitments. Regular reviews of their controls ensure the effectiveness of their processes and security measures.
Ensuring security is a shared responsibility. Here are some steps you can take as a customer to enhance security:
To understand the shared responsibility between you and (Website Name) for maintaining a secure cloud environment, please read our resource on "Understanding Shared Responsibility with (Website Name)." This document provides a comprehensive analysis of the shared responsibility model and how both customers and (Website Name) can collaborate to enhance cloud security and privacy.
Securing your data is your right, and it's a continuous mission at (Website Name). We are dedicated to keeping your data secure and will work tirelessly to maintain this commitment. If you have any further questions, please contact us. Your security is our priority.