Securiti PrivacyOps Named a Leader in The Forrester WaveTMDownload Now
Securiti respects our customers' privacy and keeping our customers' data protected at all times is our highest priority. This security policy provides a high-level overview of the security practices put in place to achieve that objective.
Have questions or feedback? Feel free to reach out to us at [email protected]
Our security team comprises security experts dedicated to improving the security of our organization. Our team has played lead roles in designing and building highly secure Internet facing systems at companies ranging from startups to large public companies like Symantec, BlueCoat, Cisco, Qualys, Elastica and WiChorus. Our employees are trained on security incident response and are on call 24/7.
Securiti has taken a simple, no nonsense approach to security.
Our solution is hosted on Amazon Web Services. AWS is responsible for the security of the underlying cloud infrastructure and SECURITI takes the responsibility of securing workloads we deploy in AWS. AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. You can read more about their practices here.
Securiti is SOC2 Type II certified. A copy of the SOC2 certificate can be made available upon request to prospective and current customers. Securiti also holds the ISO 20017:2013 certification.
Our solution is engineered to make use of multiple availability zones in a given AWS region and autoscales as needed to provide a high available and reliable service.
Securiti's network architecture consists of multiple security zones with different tiers confined to their own zones. In particular, internet-facing endpoints are in their own zone and do not have direct access to the database tier or other internal services.
AWS GuardDuty is used to actively monitor all cloud trail and VPC flow logs for any anomalies or security incidents. AWS Security Hub is used to check all the infrastructure policies and configuration against best practices and raise alerts. A well-known open-source Host-based Intrusion Detection (HIDS) is used to monitor both the hosts and containers. AWS Shield provides the Web Application Firewall protection. The host and container images are scanned periodically for vulnerabilities - any vulnerabilities found are patched as per industry and SOC2 guidelines.
We use AWS Shield as the Distributed Denial of Service (DDoS) mitigation service.
All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS).
Any device storing any data is subjected to data-at-rest encryption. Thus, a decommissioned device cannot be misused. The encryption keys for at-rest encryption are periodically rotated.
Any customer data that is identified and cataloged by SECURITI as personal data is subjected to a one-way, irreversible hash and stored in the virtual database instance of the customer. At no point, such cataloged personal data is captured in clear-text in logs or databases.
All sensitive configuration data (e.g. passwords, database or SaaS credentials) is encrypted using best practice encryption algorithms in the database.
We retain our customers' data for a period of one business week after a deletion request is received. All data is then completely removed from our systems. Every customer can request the removal of their account by contacting support.
We back up all our critical assets on a daily basis and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted. All critical assets are configured with redundancy and thus provide high availability. Daily backups are copied over to a different AWS region for disaster recovery. The securiti services are provisioned in the Disaster Recovery region using the pilot light strategy for a quick recovery.
Our development methodology follows security best practices and frameworks (e.g. OWASP Top 10).
Securiti is dedicated to keeping its cloud platform safe from all types of security issues thereby providing a safe and secure environment to our customers. Data security is a matter of utmost importance and a top priority for us. If you are a dedicated security researcher or vulnerability hunter and have discovered a security flaw in the Securiti platform including the cloud application and infrastructure, we appreciate your support in disclosing the issue to us in a responsible manner. Our responsible disclosure process is managed by the security team at Securiti. We are always ready to recognize the efforts of security researchers by rewarding them with a token of appreciation, provided the reported security issue is of high severity and not known to us. While reporting the security vulnerability to Securiti's Security team, please refrain from disclosing the vulnerability details to the public outside of this process without explicit permission. Please provide the complete details. We determine the impact of vulnerability by looking into the ease of exploitation and business risks associated with the vulnerability.
As a security researcher, if you identify or discover a security vulnerability in compliance with the responsible disclosure guidelines, Securiti's security team commits to:
Acknowledge the receipt of reported security vulnerability in a timely fashion
As with most cloud services, access to the Securiti platform requires a login ID and password or integration with a Single-Sign-On (SSO) provider. When an organization subscribes to the Securiti platform service, it is the customer's responsibility to manage which end users should be given access. Customers should also define when access should be taken away from the end users. For example, access should be revoked upon end user's separation from employment or as part of departmental changes that result in change of duties or responsibilities. Only valid account credentials should be used by authorized users to access the Securiti platform service.
Brute-force password attacks are thwarted by requiring users to answer a captcha if our application is not integrated with a single-sign-on vendor.
Single sign-on (SSO) can be implemented by our enterprise customers. We recommend making use of the additional protections (such as 2FA) that are offered by SSO vendors.
Advanced role-based access control (RBAC) is offered on all our customer accounts and allows our users to define roles and permissions.
We're compliant to the California Consumer Privacy Act (CCPA). Our commitment towards CCPA is outlined here.
We're compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.
All self-serve payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don't collect any payment information and are therefore not subject to PCI obligations.
Our strict internal procedure prevents any employee from gaining access to customer data. A subset of SECURITI's Personnel have access to customer data as necessary to support the platform. Individual access is granted based on the role and job responsibilities of the individual. Access to systems containing customer data is reviewed on a regular basis and is monitored on an ongoing basis. Our employees sign a Non-Disclosure and Confidentiality Agreement to protect our customers' sensitive information.