SECURITY MEASURES
Security Measures Overview
The platform we use deploys and maintains technical and organizational security measures to protect the company’s and our customers’ data and assets. The platform’s security team leads the facilitation and development of procedures, processes and controls that govern the security and integrity of us and our users.
Below is an overview of the principle measures we employ to keep our platform and our users secure.
The Platform Dedicated Security Team
Employed are a team of security and privacy professionals who are experts in information, application and network security. The team maintain and constantly improve the company’s defense systems, develop security review processes, build security infrastructure, and implement the company security policies.
Our dedicated security team also actively scan the platform and infrastructure for security threats, perform penetration tests, conduct quality assurance measures and software security reviews, and provide project-specific consulting services to our product and engineering teams.
The security team, with the help of external experts, constantly monitor for suspicious activity in the network. They also address information security threats, and perform routine security assessments and audits.
Compliance and Certifications
The Platform is a PCI Level 1 Merchant & Service Provider and is certified as ISO 27001 and ISO 27018 compliant.
Physical Access Controls
Services are hosted on AWS and Google Cloud Platform cloud-based data centers, for which Equinix provides all physical colocation services. The infrastructure providers maintain industry-standard security certifications, including: ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3 and PCI DSS Level 1.
There are many data center locations for redundancy.
Offices worldwide are physically secured by personal identification access restriction and management.
​
Business Continuity, Incident Response and Disaster Recovery Plans
​
Data centers and cloud service providers in separate geographic locations and different time zones are used to allow infrastructure and service availability, as well as continuity.
​
Business continuity, incident response and disaster recovery plans, which are developed, maintained, tested, and updated periodically.
​
Designated solutions for protection against and mitigation of DDoS attack effects are facilitated.
Teams in multiple geographies are dedicated to support the Platform, services and supporting infrastructure.
​
System Access Controls
An access control policy is maintained that covers the internal network and systems processing personal data. This facilitates control processes, including access logging, monitoring and limitation.
Records and systems distinguish customer records and information from non-customer information. Data insert, deletion, and modification are stamped and logged (date/time and relevant personnel).
​
Application Level Security, Monitoring and Risk Identification & Assessment
​
All cloud and public interfaces are automatically scanned for vulnerabilities and misconfigurations on a regular basis.
​
Incoming attacks on the platform are regularly monitored, detected, and are blocked.
​
Penetration tests are performed on the platform by the security team and an external third party on a regular basis. Results are evaluated and remediated (if needed).
A security bug bounty program is maintained, which gives independent security researchers a platform for testing and submitting vulnerability reports.
Privacy controls are facilitated in the code to ensure customers’ data privacy and to prevent one customer from accessing another customer’s data.