Information Security Overview

Our commitment to data privacy and security is embedded in every part of our business. Use this document to learn about our security posture.

Compliance

We are working on

Application Security

Audit Logging

We enabled logging on all critical systems of various types. These logs are ingested by our observability and security platform to monitor operational status and for alerting capabilities

Integration Assessments

We reviewed every integration into our systems for legal and security purposes.

Robust QA

We performed thorough QA before every release to ensure everything was in order.

Third-party Penetration Tests

We hired reputable security consulting companies to perform penetration testing against our product annually and before every major release.

FOSS Reviews

We reviewed every open-source software before integrating it into our systems.

Secure Development Lifecycle

We use SDLC methodologies to ensure code is written securely and with best practices.

Threat & Vulnerability Management

We performed Threat & Vulnerability assessments on all infrastructure and services continuously to ensure issues were timely triaged and resolved.

Branch Protection Rules

We enforced branch protection rules to ensure requirements were met before any pushes.

Dependency Scanning

We analyze our application’s dependencies for known vulnerabilities to ensure we maintain known-good versions of third-party usage.

Infrastructure as Code Scanning

We scan for misconfiguration during the deployment pipeline to ensure infrastructure is configured with best practices.

Data Security

Backups Enabled

We automated backups daily and stored the backups encrypted with monitoring and alerting.

Encryption-at-rest

Data are encrypted at rest using AES-256 for all storage.

Encryption-in-transit

Data sent in transit is encrypted using TLS 1.2 or greater.

Network Security

Firewall

We deployed network firewalls in our environments for traffic filtering.

IDS/IPS

We deployed a mixture of both host and network IDS/IPS systems in our

environments and monitored suspicious traffic through signature-based and

behavioral detections.

Network Segregation

We enforced segregation in the network layers according to the best practices to

ensure critical systems were segregated from the rest.

VPN integrated with SSO and MFA

We integrated our VPN with SSO login with MFA requirements.

Infrastructure Security

Status Monitoring

We monitored our operational status through the observability platform and have alerting capabilities for outages.

Amazon Web Services

We host our infrastructure in Amazon Web Services.

Anti-DDoS

We utilize AWS's DDoS prevention services.

WAF

We utilize AWS’s WAF to deter attempts to exploit known vulnerabilities.

Security Guardrails

We deployed Security Guardrails to prevent deviations from expected behavior.

AWS Landing Zones

We use AWS Landing Zones as a baseline to deploy workloads and applications.

Isolated Logging Account

We host all critical security logs in an isolated logging account.

Security Information and Event Management

We monitor security detections across all our environments through our SIEM platform.

Endpoint Security

Disk Encryption

We enforced mandatory disk encryption for all endpoints through our MDM platform.

Mobile Device Management

We manage company devices through our MDM solution to enforce our security policy and ensure automatic updates/patching and remote wipe capability.

Endpoint Detection & Response

We deployed endpoint detection and response tooling across all endpoints to detect anomalous activity and provide telemetry to our SIEM.

Identity Providers with SSO & MFA

We use Identity Providers to manage authentication and authorization for all our applications which enforces MFA logins.

Corporate Security

Asset Management Practices

We inventory all our assets through tracking systems to ensure all items or equipment are tracked.

Incident Response

We have an Incident Response process to ensure all investigation procedures are followed and handled properly.

InfoSec & Awareness Training

We train our employees on security risks and awareness during onboarding and annually and conduct regular phishing simulations to prepare readiness.

Access Control

Privileged Access Management

We use a zero-trust access solution to manage access to our infrastructure and employ the principle of least privilege of granting access to employees.

Every activity or access event is logged and monitored through our SIEM platform.

Data Access

We restricted all access to sensitive data using Security Guardrails and required management approvals for all access requests.

Audit Logging

All our infrastructure and access management platforms are enabled with audit logging and these are stored in our isolated logging account and ingested through SIEM for monitoring purposes.