SECURITY POLICYEffective: December 19, 2016
At Amberity security is our absolute highest priority. Therefore, we go to considerable lengths to ensure that the data of our customers is handled securely and safely. In the spirit of openness and transparency, here are some of the security measures we take to protect and defend the Amberity platform.Privacy and Data
Amberity maintains a comprehensive privacy program. We do not sell the personal information of our customers to third parties and we have legal and security team focused on privacy and security issues. All customer data is stored in the USA. Amberity’s backend is supported by multi-tenant datastores to persist data. All data at rest and associated keys are encrypted using the industry-standard AES-256 algorithm. For further details around the encryption at rest please see AWS encryption procedures.Infrastructure
All of our services run in the cloud. The vast majority of our services and data are hosted in Amazon Web Services (AWS), which is trusted by thousands of businesses to store and serve data/services.
Amazon Web Services undergoes regular assessments to ensure compliance with industry standards and continually manages risk. By using AWS as a data center operations provider, our data center operations are accredited by:
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- ISO 27001
- PCI-DSS Level 1 Service Provider
More information about AWS security can be found here.
All of our servers are within our own virtual private cloud (VPC) with software-level network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network and restrict access between services. We segment the network so that each type of server is isolated from each other and only a few necessary servers have Internet access and in fact most servers have no Internet access nor Internet-routable IPs. Development and Production environments are isolated from each other with completely independent networks and no shared infrastructure. Access to our secure network requires both cryptographic signature and multi-factor authentication.Application Development and Monitoring
Amberity is committed to designing, building, and maintaining secure systems. All our applications are regularly scanned for common security vulnerabilities including the OWASP Top Ten.
Amberity institutes strict code reviews of changes to sensitive areas of our codebase. We also peer review all software and configuration changes for security, compliance, and performance implications prior to publishing new versions of our API or customer applications. We have many unit and integration tests in place to ensure everything works as expected. These tests are run automatically every time our codebase is updated and even one single test failing will prevent new code being shipped to production.
All access to Amberity applications is logged and audited.Encryption
Amberity uses strong encryption methods and key management procedures to ensure your sensitive information is protected at all times (both at rest and in transit). Our API and application endpoints are accessible via TLS/SSL only and is regularly updated to use the strongest ciphersuites and TLS configuration. Access to encryption keys and application secrets is held by the smallest number of Amberity employees possible.PCI Obligations
Amberity is not subject to PCI obligations.Research and Disclosure
Security vulnerabilities are an unfortunate but recognized issue in software. At Amberity we take them very seriously. Do not attempt to harm Amberity, its users, or customer’s data. Found a security vulnerability? We reward security researchers for their hard work finding security vulnerabilities in our systems. Please send details to firstname.lastname@example.org, including full details and steps to reproduce. We appreciate your help in notifying us of vulnerabilities in a responsible manner.