Effective: December 1, 2017
Product security is paramount at Software. Software employs an Agile development lifecycle. As a result, security-oriented software defects can be discovered and addressed more rapidly than waterfall methodologies.
Software performs continuous integration, allowing us to rapidly respond to both functional and security issues. Well defined change management policies and procedures determine when and how changes occur. We employ many security practices, including:
- Store data on our own enterprise-ready servers
- Standard enterprise ready web server (Tomcat) configured for SSL
- Web server configured to prevent directory traversal and cross-site scripting
- Base64 password encryption
- All APIs are session protected except for login
- Session activity timeout
- Query string layer preventing malicious code injection
- Accepts only JSON requests preventing binary injection
- Scheduled snapshots of datastore for recovery, DDoS prevention
Our software-as-a-service offerings are hosted in Amazon Web Services (AWS). Physical and environmental security related controls for production servers, which includes buildings, locks or keys used on doors, are managed by AWS. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.
Software leverages internal services that require Transport Layer Security (TLS/SSL) for network access and individually authenticate users, commonly by way of a central identity provider and leveraging two factor authentication wherever possible.
All private data exchanged with Software is always protected using Transport Layer Security (TLS/SSL). If encrypted communication is interrupted, the Software application is inaccessible. Software does not “fail open.” Software is careful not to log sensitive values in clear text.
Protection of Data at Rest
Customer data at Software is encrypted at rest using a secure symmetric cipher. AES with a key length of 256 bits is used for both storage of live Service data and Software Service backups.
Customer Data Storage Location
Software Service data currently resides in the United States of America.
For Service users, we will retain your personally identifying information (PII) for as long as your account is active or as needed to provide you access and use rights, which may include a limited 90-day tail period to allow for an orderly wind-down. Generally speaking, “full resolution” electronic information transmitted or received by you in relation to your use of the Service will be retained for a rolling 15-month look-back period, after which such information may be aggregated on the basis of a one-minute resolution for the duration of the Service period and any tail period. In addition, we may retain and use your information as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.
Gathering of Personally Identifiable Information (PII)
Certain visitors to the website and Service choose to interact with Software in ways that require Software to gather personally identifiable information (PII). The amount and type of information that Software gathers depends on the nature of the interaction. For example, when signing up for a trial of the Service, we may ask a user to provide the user’s name and the name of the user’s company, as well as an email address and telephone number where we may contact the user and/or another representative of the user’s company. Each user is also expected to provide a username and password that, along with other information, we use to create and administer accounts. In each case, Software collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction with Software.
Customer Data Access
A limited number of Software personnel have access to customer data via access controlled and logged mechanisms. Personnel engaged in customer support access a support application similar in structure to the Software end user web application that allows them to access customer data. Access to this system requires authenticating to our central identity provider and using two factor authentication. Access to the customer support portal is strictly logged. Technical operations personnel have access to the raw service data storage. This access requires using a management VPN, authentication via public key, and two factor authentication. Access to the staging and production management infrastructure is strictly logged. All other personnel are prohibited from accessing customer data.
If you believe you’ve discovered a bug in Software’s security, please get in touch at email@example.com and we will get back to you within 24 hours, and usually earlier. We request that you not publicly disclose the issue until we have had a chance to address it.
If you have any questions or concerns about our approach to security, please email us at firstname.lastname@example.org.