Security Policy
Effective Date: January 1, 2019
Nothing is more important than protecting our customers’ data. We adhere to enterprise-class security levels and highest encryption standards to keep customer data secure at all times. We apply GDPR rules for all customers.
Data centers
All Smarter Firms products run on best-in-class servers in Amazon AWS data centers located in United States of America. All Amazon AWS services are GDPR compliant. Customer data is always protected and never leaves data centers.
Host security
Servers are configured as bastion hosts with each server containing only the services it absolutely needs. No other software is added to the host to lessen the security penetration surface.
Smarter Firms software infrastructure is comprised of many microservices. Each microservice is isolated and ran on a specific docker host. Hosts are dynamically scaled depending on load.
Network security
Network security follows a multi-layered approach:
- At the top we use Amazon’s Virtual Private Cloud (VPC) utilizing its own security measures and principles
- Security groups are assigned to each instance type, permitting only networks and ports absolutely needed for each instance type to function
- Each instance has its own system firewall to protect its services even further
- At the single network point of entry, the network intrusion detection & prevention system is installed, with active monitoring, filtering and alerting system
- Every connection to our hosts is SSL encrypted using proven, peer-reviewed and open source encryption algorithms to prevent network sniffing, injecting and other attacks
Data Storage
Data at rest is encrypted via AES-256 encryption using the services AWS provides and/or native Linux tools.
Monitoring
We use on-site and off-site monitoring and alerting tools 24/7. We try to detect every anomaly which could affect our services, before it becomes an issue. Personnel is always available for urgent issues, which are escalated up the chain as necessary.
We strive for 99.99% uptime for all our products.
Penetration testing
Although our services are regularly upgraded, configured and monitored, regular penetration tests are employed to identify and remedy potential security issues. We try to perform such penetration tests at least on quarterly basis.
Internal IT Security
Critical passwords are secured in a virtual vault, using strong encryption protocols. Access is granted to authorized and qualified personnel only, on need-to-know basis.
Data protection, Disaster Recovery & Data Continuity
Production data is mirrored to multiple servers in a master/slave fashion. In case of an instance failure, other instances take over the load. New instance is launched, which then resyncs data and rejoins the cluster.
Backups are taken on a daily basis, some more often, depending on sensitivity of data. Backups are securely stored on encrypted storage in a GDPR compliant datacenter.
We test our recovery operations and backup quality by regular data recovery. Minimum data recovery is seven days, up to 30 days of retention. GDPR requirements are followed.
Certificates, compliance
As all software and customer data resides only in Amazon AWS infrastructure, AWS security certification compliance applies. Amazon AWS is certified with the following certificates, among others:
- ISO 27001: Information Security Management Systems (ISMS)
- ISO 27017: Cloud-specific security control guidance
- ISO 27018: Protection of Personally Identifiable Information (PII) in public clouds
- ISO 9001: Quality management systems
- SOC1
- SOC2
- SOC3
- PCI DSS 3.2
All Amazon’s AWS services are GDPR ready.
More info is available on the following links:
https://d0.awsstatic.com/whitepapers/compliance/AWS_Compliance_Quick_Reference.pdf
https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/
https://aws.amazon.com/compliance/
If you feel that we are not abiding by this security policy, you should contact us immediately via telephone at 405-701-6378 or via email at [email protected].