Nothing is more important to our company than the confidentiality, privacy and security of our customer’s data.
Despite that much of the information we collect and store is non-sensitive data, we take all security precautions seriously. We know that the services we provide are vital to our customers and we take safeguarding your data very seriously.
We have the necessary security and privacy standards in place. In fact multiple international companies trust Atiim with secure access to the product and with maintaining private information.
We have a privacy program established internally to help protect your data privacy rights. We maintain administrative and technical safeguards to protect against the loss, misuse and unauthorized access of personal information.
Atiim takes steps that are reasonably designed to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, including through secure socket layer, password protection and, for certain transmissions to our Services, encryption. However, due to the open communication nature of the Internet, we cannot guarantee that communications between you and the Site, and the Site and you, will be free from unauthorized access by third parties. Users of the Site do so at their own risk with respect to such communications.
Our Commitment to Trust
Trust is a core principle for us. It’s this commitment to customer privacy and trust that directs all of the decisions our team makes on a daily basis. Trust is the responsibility of every employee at our company and this is something we take very seriously.
Internal Security Process for Protecting Customer Information
Our CTO Manages the Security Process
Our security process is led by our CTO who works closely with our customer support organization and our customers to address risk and ensure our commitment to trust, privacy and confidentiality of customer information.
Access to Customer Data – Only Our CTO (Additional, Highly Secure Internal Access Process)
We have taken an additional level of precaution and as part of our internal policy on secure access to customer data, only our CTO has direct access to the production databases and to our infrastructure. All the engineers access is limited only to our non-production environment that is then reviewed and approved by the CTO who in turn is the only one that can access these production databases for any engineering or product update purposes.
Support’s Access to Customer Data
Our support staff does not access or interact with customer data in the production database as part of normal operations. There may be cases where our support is requested to interact with customer data or applications at the request of the customer for support purposes or where required by law. All such support-related access is done only with customer request and approval or government mandate.
Our Engineers and Security
Even with the above security process that limits access to customer data to our CTO, we want to communicate that our engineering group is a highly experienced team with years of experience developing secure software technologies to ensure privacy and confidentiality of the customer’s data.
Employee Screening and Internal Security Policies
Furthermore, as a condition of employment at Atiim, all of our employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies. At our company we use 2-factor authentication and strong password policies for all services that our engineering and support teams use. We also encrypt the hard drives on the computers used by our employees.
Encryption of Data
Encryption of Data “In Transit”
Our data and content is transferred 100% over secure HTTPS protocol (256-bit encryption) to protect sensitive data transmitted to and from applications and all transfer of data and connections from our application servers to our databases are TLS (256-bit encryption) encrypted.
Encryption of Data “At Rest”
All of our confidential and private customers data are stored in secure database that is encrypted at rest and the database files where they are stored on the secure hard drives are encrypted. The database (see below for details on the Postgres database that we use) is compliant with the industry’s data security requirements. Also, the data encryption is deployed adhering and compliant with the industry-standard encryption and best practices for the frameworks we use.
Our Hosting and Infrastructure is Secure
Atiim does not host any of its infrastructure at its own premises. All of our secure servers and hosting are physically located at highly secure data centers – we use Heroku cloud application platform infrastructure (owned by a large, multi-billion publicly-traded company which itself is compliant with rigorous security requirements) which is in turn managed on Amazon AWS infrastructure that offers its own additional security. Amazon AWS and Heroku are the world’s top and most secure infrastructure service providers which meet the top security requirements and are compliant with all of the industry security standards. They provide the highest levels of physical and network security, and maintain many levels of audited security including SOC-2, ISO 27001 and SOX compliance. Additionally, access to these data centers is strictly controlled and monitored by 24×7 on-site security staff, biometric scanning and video surveillance.
Data Center Security
Heroku’s physical infrastructure is hosted and managed in Amazon’s secure data centers. It utilize the Amazon Web Service (AWS) technology which continually manages risk and goes through recurring security assessments to ensure compliance with rigorous industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Heroku utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
For additional information see: https://aws.amazon.com/security
Heroku’s vulnerability management process is designed to remediate risks without customer interaction or impact. Heroku is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to Heroku’s environment, ranked based on risk, and assigned to the appropriate team for resolution.
New systems are deployed with the latest updates, security fixes, and Heroku configurations and existing systems are decommissioned as customers are migrated to the new instances. This process allows Heroku to keep the environment up-to-date. Since customer applications run in isolated environments, they are unaffected by these core system updates.
To further mitigate risk, each component type is assigned to a unique network security group. These security groups are designed to only allow access to the ports and protocols required for the specific component type. For example, user applications running within an isolated dyno are denied access to the Heroku management infrastructure as each is within its own network security group and access is not allowed between the two.
Data and Application Security on Heroku
Each application on the Heroku platform runs within its own isolated environment and cannot interact with other applications or areas of the system. This restrictive operating environment is designed to prevent security and stability issues. These self-contained environments isolate processes, memory, and the file system using LXC while host-based firewalls restrict applications from establishing local network connections.
Security Protections With Cloudflare Security
We use Cloudflare which is a web performance and security company for data and content delivery. Its security service operates in a way to help make it possible to identify and mitigate threats faster:
- DDoS Protection – Cloudflare enterprise-class DDoS protection network has 20 times more capacity than the largest DDoS attack ever recorded. Operating at the network edge, it protects against all forms of DDoS attacks.
- Web Application Firewall (WAF) – the WAF (web application firewall) benefits from the collective intelligence of Cloudflare’s entire network. When they identify a new threat from one website, they can automatically block it from the other 6 million websites on the network which includes us.
- Rate Limiting – Cloudflare’s Rate Limiting security protects the website’s critical resources by providing fine-grained control to block visitors with suspicious request rates. Rate Limiting protects against denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer. Also, Cloudflare’s 10 Tbps global anycast network is 10X bigger than the largest DDoS attack ever recorded, allowing websites like ours on Cloudflare’s network to withstand even massive DDoS attacks.
Secure Access and Authentication
Access to Atiim is via an HTTPS (TLS & SSL with a 256-bit encryption), an HTTP Secure internet protocol for secure communication over internet encrypted by Transport Layer Security (TLS) and Secure Sockets Layer (SSL). We use HTTPS for authentication of all visits to our website and SaaS, and for protection of the privacy and integrity of the exchanged data.
Additionally, the secure access over our HTTPS provides bidirectional encryption of communications between our clients and our servers that protects against eavesdropping and tampering with the data and ensures that the contents of communications between the users and our site cannot be read or forged by any third party.
Our Domain Registrar Is Secure
Security standards state that setting a registered domain through a secure registrar is the most secure way to protect the domain from hijacking. Our registrar’s SSL Certificate uses the McAfee SECURE Trustmark which ensures the site has been scanned and cleared by one of the most trusted names in online security.
Secure Data Storage
Our data is stored in multi-tenant storage systems accessible to our customers only via the Atiim Application. What does that mean for our customers? No end-user or other customer has direct access to the underlying information. Period.
We ensure that all customer data is replicated and backed up in multiple durable data-stores.
Secure Database: Heroku Postgres
Customer data is stored in separate access-controlled databases per application. Each database requires a unique username and password that is only valid for that specific database and is unique to a single application. Customers with multiple applications and databases are assigned separate databases and accounts per application to mitigate the risk of unauthorized access between applications.
Customer connections to Postgres databases require SSL encryption to ensure a high level of security and privacy. When deploying applications, we encourage customers to take advantage of encrypted database connections.
Stored data can be encrypted by customer applications in order to meet data security requirements. Customers can implement data storage, key management, and data retention requirements when developing their application.
Despite that most of the customer information we collect and store is primarily non-sensitive data, we take all of the security precautions very seriously. Thus, starting in the 2017-2018 calendar year, we will have a professional Security Audit company audit our systems for security vulnerabilities to ensure we are always adhering to the best practices of security protection. Additionally, we use security log management technology called Papertrail (and we will also be using full-stack monitoring and analytics like Rollbar) to provide an audit trail on our software and the infrastructure. Such auditing procedures will allow us to perform consistent security analysis, track changes in our infrastructure and audit access to all layers of our system.
We Take All Security Precautions Seriously
We take all security precautions very seriously. However, it is also important to note, that just like any other company, it is impossible for us or others to guarantee the safety and security and, consequently, we cannot ensure or warrant the security of any information.
Have Questions About Our Security?
If you have any questions about our security, please do not hesitate to contact us at: [email protected].